[comment]: # ({45508041-4ce68864}) # 1 CyberArk configuration This section explains how to configure Zabbix to retrieve secrets from CyberArk Vault CV12. The vault should be installed and configured as described in the official [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/12.1/en/Content/HomeTilesLPs/LP-Tile6.htm?tocpath=Installation%7C_____0). To learn about configuring TLS in Zabbix, see [*Storage of secrets*](/manual/config/secrets#tls-configuration). [comment]: # ({/45508041-4ce68864}) [comment]: # ({4f8deba1-bf4f1f87}) ### Database credentials Access to a secret with database credentials is configured for each Zabbix component separately. #### Server and proxies To obtain database credentials from the vault for Zabbix [server](/manual/appendix/config/zabbix_server) or [proxy](/manual/appendix/config/zabbix_proxy), specify the following configuration parameters in the configuration file: - `Vault` - which vault provider should be used; - `VaultURL` - vault server HTTP\[S\] URL; - `VaultDBPath` - query to the vault secret containing database credentials which will be retrieved by keys "Content" and "UserName" (this option can only be used if DBUser and DBPassword are not specified); - `VaultTLSCertFile`, `VaultTLSKeyFile` - SSL certificate and key file names; setting up these options is not mandatory, but highly recommended; - `VaultPrefix` - custom prefix for the vault path or query, depending on the vault; if not specified, the most suitable default will be used. :::noteimportant `Vault`, `VaultURL`, `VaultTLSCertFile`, `VaultTLSKeyFile`, and `VaultPrefix` configuration parameters are also used for vault authentication when processing secret vault macros by Zabbix server (and Zabbix proxy, if [configured](/manual/web_interface/frontend_sections/administration/general#other)). Zabbix server and proxies will not open vault secret macros that contain DB credentials from VaultDBPath. ::: Zabbix server and Zabbix proxy read the vault-related configuration parameters from *zabbix_server.conf* and *zabbix_proxy.conf* files upon startup. [comment]: # ({/4f8deba1-bf4f1f87}) [comment]: # ({bc54d843-c8ed5f40}) ##### Example 1. In *zabbix_server.conf*, specify the following parameters: ```ini Vault=CyberArk VaultURL=https://127.0.0.1:1858 VaultDBPath=AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix_server_database VaultTLSCertFile=cert.pem VaultTLSKeyFile=key.pem VaultPrefix=/AIMWebService/api/Accounts? ``` 2. Zabbix will send the following API request to the vault: ```bash curl \ --header "Content-Type: application/json" \ --cert cert.pem \ --key key.pem \ https://127.0.0.1:1858/AIMWebService/api/Accounts?AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix_server_database ``` 3. The vault response will contain the keys "Content" and "UserName": ```json { "Content": , "UserName": , "Address":
, "Database": , "PasswordChangeInProcess": } ``` 4. As a result, Zabbix will use the following credentials for database authentication: - Username: - Password: [comment]: # ({/bc54d843-c8ed5f40}) [comment]: # ({28af0777-f5f1a375}) #### Frontend To obtain database credentials from the vault for Zabbix frontend, specify the following parameters during frontend [installation](/manual/installation/frontend). 1. At the *Configure DB Connection* step, set the *Store credentials in* parameter to "CyberArk Vault". ![](../../../../assets/en/manual/config/cyberark_setup.png){width="600"} 2. Then, fill in the additional parameters: |Parameter|Mandatory|Default value| Description| |---|-|---|------| |Vault API endpoint|yes|https://localhost:1858|Specify the URL for connecting to the vault in the format `scheme://host:port`| |Vault prefix|no|/AIMWebService/api/Accounts?|Provide a custom prefix for the vault path or query. If not specified, the default is used.| |Vault secret query string|yes| |A query, which specifies from where database credentials should be retrieved.
Example: `AppID=foo&Query=Safe=bar;Object=buzz`| |Vault certificates|no| |After marking the checkbox, additional parameters will appear allowing to configure client authentication. While this parameter is optional, it is highly recommended to enable it for communication with the CyberArk Vault.| |SSL certificate file|no|conf/certs/cyberark-cert.pem|Path to the SSL certificate file. The file must be in PEM format.
If the certificate file also contains the private key, leave the SSL key file parameter empty.| |SSL key file|no|conf/certs/cyberark-key.pem|Name of the SSL private key file used for client authentication. The file must be in PEM format.| [comment]: # ({/28af0777-f5f1a375}) [comment]: # ({dcf47002-11bde60a}) ### User macro values To use CyberArk Vault for storing *Vault secret* user macro values, make sure that: - Zabbix server is [configured](/manual/config/secrets/cyberark#server-and-proxies) to work with CyberArk Vault; - the *Vault provider* parameter in [*Administration → General → Other*](/manual/web_interface/frontend_sections/administration/general#other) is set to "CyberArk Vault". ![](../../../../assets/en/manual/config/provider_cyberark.png) :::noteclassic Zabbix server (and Zabbix proxy, if [configured](/manual/web_interface/frontend_sections/administration/general#other)) require access to *Vault secret* macro values from the vault. Zabbix frontend does not need such access. ::: The macro value should contain a query (as `query:key`). See [*Vault secret macros*](/manual/config/macros/secret_macros#vault-secret) for detailed information on macro value processing by Zabbix. [comment]: # ({/dcf47002-11bde60a}) [comment]: # ({d8f91274-1b41be0a}) #### Query syntax The colon symbol (":") is reserved for separating the query from the key. If a query itself contains a forward slash or a colon, these symbols should be URL-encoded ("/" is encoded as "%2F", ":" is encoded as "%3A"). [comment]: # ({/d8f91274-1b41be0a}) [comment]: # ({6ca402c3-423b1929}) #### Example 1. In Zabbix, add a user macro {$PASSWORD} of type *Vault secret* and with the value `AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix:Content` ![](../../../../assets/en/manual/config/cyberark_macro.png) 2. Zabbix will send the following API request to the vault: ```bash curl \ --header "Content-Type: application/json" \ --cert cert.pem \ --key key.pem \ https://127.0.0.1:1858/AIMWebService/api/Accounts?AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix_server_database ``` 3. The vault response will contain the key "Content": ```json { "Content": , "UserName": , "Address":
, "Database" :, "PasswordChangeInProcess": } ``` 4. As a result, Zabbix will resolve the macro {$PASSWORD} to the value - [comment]: # ({/6ca402c3-423b1929}) [comment]: # ({4f5314a4-f5e60a12}) ### Update existing configuration To update an existing configuration for retrieving secrets from a CyberArk Vault: 1. Update the Zabbix server or proxy configuration file parameters as described in the [*Database credentials*](#database-credentials) section. 2. Update the DB connection settings by reconfiguring Zabbix frontend and specifying the required parameters as described in the [*Frontend*](#frontend) section. To reconfigure Zabbix frontend, open the frontend setup URL in the browser: - for Apache: http:///zabbix/setup.php - for Nginx: http:///setup.php Alternatively, these parameters can be set in the [frontend configuration file](/manual/installation/frontend#install) (*zabbix.conf.php*): ```ini $DB['VAULT'] = 'CyberArk'; $DB['VAULT_URL'] = 'https://127.0.0.1:1858'; $DB['VAULT_DB_PATH'] = 'AppID=foo&Query=Safe=bar;Object=buzz'; $DB['VAULT_TOKEN'] = ''; $DB['VAULT_CERT_FILE'] = 'conf/certs/cyberark-cert.pem'; $DB['VAULT_KEY_FILE'] = 'conf/certs/cyberark-key.pem'; $DB['VAULT_PREFIX'] = ''; ``` 3. Configure user macros as described in the [*User macro values*](#user-macro-values) section, if necessary. To update an existing configuration for retrieving secrets from a HashiCorp Vault, see [*HashiCorp configuration*](/manual/config/secrets/hashicorp#update-existing-configuration). [comment]: # ({/4f5314a4-f5e60a12})