WIXLIB

Symantec VIP Integration Guide for CyberArk PrivilegedAccount Security Solution

Symantec VIP Integration Guide for CyberArk Privileged Account Security SolutionTable of ContentsAbout integrating CyberArk Privileged Account Security Solution with Symantec VIP. 3System requirements.3VIP supported features.3Authentication workflow.4Configuring CyberArk Privileged Account Security Solution for VIP using RADIUS. 7Prerequisites. 7Ensuring first-factor authentication. 7Configuring the VIP Enterprise Gateway Validation server. 7Configuring CyberArk for integrating with Symantec VIP using RADIUS. 8Configuring a RADIUS server. 8Configuring the user account.9Configuring access through Password Vault Web Access.10Testing the RADIUS integration.11Testing hardware and VIP Access credential authentication. 12Testing SMS/Voice authentication. 12Testing VIP Access Push authentication. 13Configuring CyberArk Privileged Account Security Solution for VIP using JavaScript. 14Prerequisites. 14Ensuring first-factor authentication. 14Configuring the CyberArk Privileged Account Security Solution with the VIP integration module for MicrosoftAD FS.14Obtaining the AD FS signing certificate. 15Adding the CyberArk server as a Relying Party Trust. 15Configuring the authentication method. 18Testing the JavaScript integration. 18Testing the JavaScript integration using a security code. 19Testing JavaScript integration for VIP Access Push. 20Testing the JavaScript integration for VIP Access Push using a security code. 23Troubleshooting issues and solutions. 25Copyright Statement. 262

Symantec VIP Integration Guide for CyberArk Privileged Account Security SolutionAbout integrating CyberArk Privileged Account SecuritySolution with Symantec VIPThe traditional user name and password authentication is no longer enough to meet today's evolving security threatsand regulatory requirements. However, users demand an easy-to-use authentication solution. What is needed today isstronger and smarter authentication to secure corporate data and applications, while offering greater ease of use.Symantec VIP is a cloud-based authentication service that enables enterprises to securely access online transactions,meet compliance standards, and reduce fraud risk. VIP provides an additional layer of protection beyond the standarduser name and password through a wide variety of additional authentication capabilities including: Two-factor authentication – dynamic, one-time-use security codes generated by a user's VIP credential in the form ofmobile apps, desktop software, security tokens, and security cards. Out-of-band authentication – dynamic, one-time-use security codes delivered by phone call, by SMS text messageor email, or by push notifications sent to a registered mobile device.VIP is based on OATH open standards, an industry-wide consortium working with other groups to promote widespreadstrong authentication. Because the service is hosted by Symantec, enterprises engage one solution to support multipleenterprise, partner, and customer-facing applications requiring strong authentication. Intended for administrators, thisguide helps you prepare for VIP integration by providing a comprehensive outline for planning, decision making, and taskprioritization for a successful deployment.Users generate a security code on a VIP credential that they register with Symantec’s VIP Service. They use that securitycode, along with their user name and password, to gain access to the resources protected by CyberArk.System requirementsThe integration environment used in this document is based on the following software versions:Table 1: System requirementsPartner ProductCyberArk Privileged Account Security SolutionPartner Components and VersionPassword Vault Web Access (PVWA) v9.8 and v10.8Digital Vault v9.8 and v10.8 PrivateArk Server PrivateArk ClientVIP supported featuresVIP supported features lists the VIP Enterprise Gateway features that are supported with CyberArk.Table 2: VIP supported featuresVIP featureSupportFirst-factor authenticationAD/LDAP password through VIP Enterprise GatewayYesVIP PINNoSecond-factor authentication3

Symantec VIP Integration Guide for CyberArk Privileged Account Security SolutionVIP featureSupportVIP Access PushYesSMSYesVoiceYesSelective strong authenticationEnd user-basedYesRisk-based(Intelligent Authentication)NoTarget resource-based(A user is challenged for additional authentication based onresource access)NoGeneral AuthenticationMulti-domainYesAnonymous user nameYesLegacy authentication provider integration (delegation)YesAD password resetYesIntegration MethodVIP JavaScriptYes(JavaScript is used for push and out-of-band (OOB) authentication Requires VIP integration with Microsoft Active Directorysuch as SMS and Voice)Federation Service (AD FS)VIP LoginNoSOAP Web Service APIsNoRadiusYesAuthentication workflowThis section describes how the integration of Symantec VIP with CyberArk Privileged Account Security Solutionauthenticates a user's access of protected resources. This workflow describes the integration for the User ID– LDAPPassword–Security Code authentication method.4

Symantec VIP Integration Guide for CyberArk Privileged Account Security SolutionTable 3: Workflow descriptionStepDescription1The user enters a user name, password, and a security code in the CyberArk PrivilegedAccount Security Solution login page.2CyberArk Privileged Account Security Solution sends the user name, password, and thesecurity code to VIP Enterprise Gateway.5

Symantec VIP Integration Guide for CyberArk Privileged Account Security SolutionStepDescription3As the first part of the two-factor authentication process, the VIP Enterprise Gateway Validationserver authenticates the user name and the password against your user store. For example, ifAD/LDAP is the user store, the Validation server authenticates the user name and the passwordagainst AD/LDAPAfter successful authentication, the user store sends an authentication response to the VIPEnterprise Gateway Validation server.4As the second part of the two-factor authentication process, the VIP Enterprise GatewayValidation server authenticates the user name and the security code with VIP Service.After successful authentication, VIP Service sends an authentication response to the VIPEnterprise Gateway Validation server.5If the user name and the security code are successfully authenticated, the VIP EnterpriseGateway returns an Access-Accept Authentication response to the Privileged Account SecuritySolution.6Based on the Access-Accept Authentication response, CyberArk Privileged Account SecuritySolution grants the user access to the protected resource.6

Symantec VIP Integration Guide for CyberArk Privileged Account Security SolutionConfiguring CyberArk Privileged Account Security Solution forVIP using RADIUSComplete the following general tasks to configure CyberArk Privileged Account Security Solution for VIP using RADIUS: Prerequisites Configuring CyberArk for integrating with Symantec VIP using RADIUSPrerequisitesBefore you integrate CyberArk Privileged Account Security Solution with Symantec VIP for second-factor authenticationover RADIUS, you must complete the following steps:Table 4: Prerequisites for configuring CyberArk Privileged Account Security Solution for RADIUSPrerequisiteResourceEnsure that first-factor authentication is working.Ensuring first-factor authenticationInstall and configure VIP Enterprise Gateway, and configure theVIP Enterprise Gateway Validation server.Configuring the VIP Enterprise Gateway Validation serverEnsuring first-factor authenticationYou must make sure that first-factor authentication is working: Configure CyberArk Privileged Account Security Solution with LDAP Make sure that a user is able to log into CyberArk with a user name and a password.For more information, see the CyberArk documentation.Configuring the VIP Enterprise Gateway Validation serverComplete the following steps to install and configure VIP Enterprise Gateway.1. Install and configure VIP Enterprise Gateway. For full procedures, refer to the VIP Enterprise Gateway Installation andConfiguration Guide online at the Broadcom TechDocs portal.2. Add the Validation server as follows: If you have installed a version of VIP Enterprise Gateway earlier than version 9.8, add the Validation server for theUserID – LDAP Password – Security code authentication method. If you have installed VIP Enterprise Gateway version 9.8 or later, perform the following steps:– Log in to VIP Enterprise Gateway and click the Validation tab.– Click Add Server. The Add RADIUS Validation server dialog box is displayed.FieldActionVendorSelect CyberArk from the drop-down list.Application NameSelect the vendor’s application that you use, CyberArk PrivilegedAccount Security Solution.7

Symantec VIP Integration Guide for CyberArk Privileged Account Security SolutionFieldAuthentication ModeActionSelect the UserID – LDAP Password – Security code mode thatyou want to use for first and second-factor authentication.In this authentication mode, VIP Enterprise Gateway validates thefirst-factor (user name and password) with your User Store, suchas AD/LDAP. VIP Enterprise Gateway validates the second-factor(user name and security code) with VIP Service.3. Click Continue to add the Validation server.Configuring CyberArk for integrating with Symantec VIP usingRADIUSComplete the following tasks to configure the CyberArk Privileged Account Security Solution and integrate it withSymantec VIP using RADIUS.Table 5: Configuration tasksTaskConfigure a RADIUS Server to enable users to authenticate tothe CyberArkVault with Radius authentication. Make sure that aRadius authentication has been installed and configured on theVault.ResourceConfiguring a RADIUS serverConfigure the user account to enable users to define the list of the Configuring the user accountsupported configuration methods.Configure access through Password Vault Web Access toenables privileged access to users through Symantec two-factorauthentication.Configuring access through Password Vault Web AccessTest the integration of CyberArk with Symantec VIP.Testing the RADIUS integrationConfiguring a RADIUS serverCyberArk Privileged Account Security Solution communicates with a RADIUS server during the user authenticationprocess.Perform the following steps to create a RADIUS server:1. Log onto the PrivateArk Server.2. Stop the Vault server.3. In the Vault installation folder, run CAVaultManager with the SecureSecretFiles command to create a file thatcontains an encrypted version of the RADIUS secret. Replace Shared Secret with the RADIUS shared secretcreated in the VIP Enterprise Gateway Validation server.For example:CAVaultManager SecureSecretFiles /SecretType Radius /Secret Shared Secret /SecuredFileName radiusauth.datThe encrypted shared secret value is stored in a file called radiusauth.dat in the current folder.4. Using a standard text editor, edit DBParm.ini. Specify the following parameter, using the values below. Specify allvalues in the same parameter, separated by semicolons:RadiusServersInfo RADIUS Server IP ; RADIUS Port ; vaulthostname ;8

Symantec VIP Integration Guide for CyberArk Privileged Account Security Solution radiusauth.dat FieldDescription RADIUS Server IP The IP address of the RADIUS server. RADIUS Port The port number of the RADIUS server. vaulthostname Vault machine entered in the RADIUS server. radiusauth.dat The name of file that contains the secret password5. Start the Vault server.Configuring the user account1. Log on to the PrivateArk Client as an administrator user.2. Select Tools Administrative Tools Users and Groups.3. Select the user and click Update.4. From the Authentication method drop-down list, select RADIUS Authentication, then click OK.9