Forum Discussion

schatte1's avatar
schatte1
Icon for Contributor II rankContributor II
6 months ago

CyberArk credential provider and CacheRefreshInterval timing issues with SL1 polling frequency

Rotation of password by Cyberark and the timespan defined with "CacheRefreshInterval" is causing issues with the polling interval of SL1 DAs. With CyberArk, the SL1 can source credential data from C...
integration
JohnProctor's avatar
JohnProctor
Icon for Moderator rankModerator
6 months ago

The Cache Refresh Interval is a parameter of the CyberArk Credential Provider. It is not something that is managed or configured by ScienceLogic. The CyberArk documentation provides instructions on how to change it.

Aimparms installation file for CP
https://docs.cyberark.com/credential-providers/latest/en/content/cp%20and%20ascp/aimparms-installation-file.htm?tocpath=Installation%7CCredential%20Provider%20(CP)%7CInstall%20the%20Credential%20Provider%7CInstall%20Credential%20Provider%20on%20Linux%20%252F%20AIX%7CBefore%20installation%7C_____1#CP

The CyberArk documentation also describe the behavior of the Credential Provider during password changes. 

Synchronize automatic password changes with the Credential Provider
https://docs.cyberark.com/credential-providers/latest/en/content/ccp/controlling-application-passwords-change-processes.htm?Highlight=password%20change%20process#SynchronizeautomaticpasswordchangeswiththeCredentialProvider

Given that use of SL1 and CyberArk are often unique, tuning of the CyberArk parameters may be required. CyberArk can assist with tuning the Vault and Credential Provider to address this issue.

You might also inquiry with CyberArk how to reduce the timeframe for which password changes occur so that a corresponding maintenance interval can be scheduled within SL1 so that collection is suspended during password changes. There are parameters like ExecutionDays, FromHour, and ToHour that might help narrow the time interval for which password changes occur.

  • schatte1's avatar
    schatte1
    Icon for Contributor II rankContributor II
    6 months ago

    Hi John,

    Its great that you brought this up. To that document(Central Credential Provider) SL1 provides documentation for integration with external credential tools like CyberArk with Credential Provider. I am trying to get more into the Credential provider - Single account and Double account password change processes. Which are available with developer (CyberArk). Definitely I will be involving the CyberArk vendor. I appreciate the feedback on this. It will be helpful if SL1 provides the Best practices while using CyberArk credential provider, Polling intervals are critical to SL1 and guidance on those are expected to let clients use tools efficiently. See this.... https://docs.cyberark.com/credential-providers/latest/en/content/cp%20and%20ascp/changing-single-account.htm?tocpath=Developer%7CCredential%20Provider%20(CP)%7CApplication%20passwords%20change%20processes%7C_____2 

    The statement "corresponding maintenance interval can be scheduled within SL1 so that collection is suspended" drives me crazy. Should we really opt this as practice where we expect to keep the lights on for operations and monitoring?