Search <book_title>...

Veritas Appliance Guide for CyberArk Plugin Configuration

Last Published: 2025-03-20

Product(s): Appliances (6.0, 5.5.0.1, 5.3, 5.1.1, 5.1, 5.0, 4.2, 4.1, 4.0, 3.3.0.1, 3.3, 3.2, 3.1, 3.0)

Platform: NetBackup Appliance OS,Flex Appliance OS

Introduction
1. Overview
CyberArk plugin configurations for Flex Appliance
CyberArk plugin configuration for NetBackup Appliance
1. Veritas NetBackup Appliance CPM CyberArk Plugin
CyberArk plugin for Remote Management interface
1. Veritas Remote Management Interface via API CyberArk Plugin
CyberArk plugin configurations for Flex Scale and Access Appliances
1. Veritas NetBackup Flex Scale and Access Appliance API CyberArk CPM plug-in
2. Configuration for CyberArk Privileged Session Manager (PSM) for SSH

Configuration for CyberArk Privileged Session Manager (PSM) for SSH

The CyberArk Privileged Session Manager (PSM) supports management of web user passwords for the following Veritas appliances:

NetBackup Flex Scale Appliance
Veritas Access Appliance
Note:
The console IP, all nodes, and NetBackup WORM are supported. However, NetBackup primary and media instances are not supported.

PSM lets you initiate, monitor, and record privileged login sessions, and usage of administrative and user accounts for the associated account passwords that are stored in a CyberArk password vault. Additionally, the entire user login session is recorded.

Requirements and pre-requisites

The following describes the requirements and tasks that you must perform before you can configure the PSM:

A configured NetBackup Flex Scale Appliance with software versions 3.2 and later, or a configured Veritas Access Appliance with software versions 8.2 and later.
A CyberArk PAM (Privileged Access Manager) solution.
A completed CPM configuration.
Limitations:
For the best experience and to avoid errors on the CyberArk website, use Google Chrome versions 109.0.5414.129 (64-bit) and later.

Architecture

The PSM uses the password from a vault for the user logins to initiate an SSH session. The architecture uses the standard CyberArk architecture where it records the sessions that are stored in the vault.

Configuration

You can use one of the following methods to configure the PSM for SSH:

PSM-SSH method - when a user logs in, this method starts a Remote Desktop connection, and records the entire login session.
PSMP SSH method - this method requires a dedicated Linux machine that is accessible from the environment. Documentation links are available on the CyberArk website and are included in the procedure that describes this configuration method.

To configure PSM-SSH

Log in to the CyberArk PVWA.
Navigate to the following page:
Administration > Configuration Options > Options > Connection Components
Click the + symbol to expand and view the component contents. Then, right-click on PSM-SSH and click Copy.
Right-click on Connection Components and select Paste Connection Component.
The new component should now appear in the expanded list of components: PSM-SSH. To rename the component do the following:
- Click once on the new PSM-SSH component.
- In the right pane of the page, in the first row at the top of the page for the ID, change the component name where it appears in the Value column on the right. For example: PSM-NBFSAA.
- Right-click the new component name and select Copy.
Navigate to Administration > Platform Management.
On the page with the list of Target Account Platforms, do the following:
- Locate the CPM PSM name to add PSM support and click on it once.
- In the lower-right corner of the page, click Edit.
In the left column of the page, do the following:
- Right-click on UI & Workflows and select Add Privileged Session Management.
- Right-click again on UI & Workflows and select Add Connection Components.
- Right-click on Connection Components and select Add Connection Component.
- Paste the Id content that you copied in step 3.
- In the lower-right corner of the page, click Apply, then click OK.
Right-click on the new PSM to ensure that both the Privileged Session Management and Connection Components menus appear.
To add the override functionality, do the following:
- In the left column of the page, right-click on the PSM and select Add Override User Parameters.
  Note:
  Do not select Add Override Component Parameters.
- Right-click on the PSM again and select Add Parameter.
- On the Properties side of the page, at the top of the page for Name, enter PSMRemoteMachine into the Value column.
- On the Properties side of the page, for Type, enter the following into the Value column:
  CyberArk.PasswordVault.Web.TransparentConnection.RemoteMachineUserParameter, CyberArk.PasswordVault.Web
- In the upper-left corner of the page, click Apply, then click OK.
Restart the CyberArk Password Manager as follows:
- Navigate to Services (Local).
- Right-click on CyberArk Password Manager and select Restart.
Log in to CyberArk Password Manager and do the following:
- Navigate to the Accounts View page.
- Select a user account to connect to a machine and click Connect.
- When prompted, add the IP address for the machine to allow the user to access it.

To configure PSMP SSH

Contact your CyberArk representative to obtain the PSMP software.
Install the PAMP software on your Linux machine.
Set up PSM for SSH on your Linux machine as follows:
- Download the PSM for SSH software from the following site:
  https://cyberark.my.site.com/mplace/s/#software-aK4Ht000000fxT4KAI-
- Obtain the necessary documentation from the following site:
  https://docs.cyberark.com/PAS/Latest/en/Content/PASIMP/...
Log in to the CyberArk PVWA and navigate to the following page:
Administration > Platform Management > Veritas NetBackup Flex Scale or Access Appliance API via REST > Connection Components. In the lower-right corner of the page, click Edit.
Right-click on UI & Workflows and select Add Privileged Session Management. On the Properties side of the page, verify that the Value for PrivilegedSSO is set to Yes.
In the left column of the page, right-click UI & Workflows and select Add Connection Components.
In the left column of the page, right-click Connection Component and select Add Connection Component.
On the Properties side of the page, in the Value column for the Id, change the name of the newly added component to PSMP-SSH.
To use one account to connect to multiple target machines, complete the following tasks to add the Override User Parameter, as in the previous procedure.
- In the left column of the page, right-click on the PSMP-SSH component and select Add Override User Parameters.
  Note:
  Do not select Add Override Component Parameters.
- Right-click on Override User Parameters and select Add Parameter.
- On the Properties side of the page, at the top of the page for Name, enter PSMRemoteMachine into the Value column.
- On the Properties side of the page, for Type, enter the following into the Value column:
  CyberArk.PasswordVault.Web.TransparentConnection.RemoteMachineUserParameter, CyberArk.PasswordVault.Web
- In the upper-left corner of the page, click Apply, then click OK.
You are now ready to connect to the NetBackup Flex Scale or Access Appliances in the Linux environment. Use the following connection string to connect:
```
ssh <vault_login_user>@<cyberark_account_name>#<IP/FQDN>@<targetmachine>
```
```
#targetport@<vaultuserpassword>@<PSMPserverIP/FQDN>
```
Where vault_login_user is the administrator that logs into the PVWA and cyberark_account_name is the Access Appliance or NetBackup Flex Scale user login account name.
Note:
The IP/FQDN parameter for the cyberark_account_name must match the target machine context exactly as it appears in the PVWA. For example, to use an IP address instead of a machine name in the PVWA, you must also use the IP address in the string. This same rule applies in the reverse situation whereas if you use a machine name in the string, you must also use the machine name in the PVWA. The concept here is to match the values. Name resolution does not work or apply here.