Skip to main content

CyberArk credential provider and CacheRefreshInterval timing issues with SL1 polling frequency

  • October 23, 2024
  • 1 reply
  • 0 views
S
Forum|alt.badge.img

Rotation of password by Cyberark and the timespan defined with "CacheRefreshInterval" is causing issues with the polling interval of SL1 DAs.

With CyberArk, the SL1 can source credential data from CyberARK. Respecting security policies, Cybersecurity recommends changing of password to the SL1 IDs. CyberARK can only specify a time frame during which the passwords can be changed. Within the collectors on the Cyberark agent setup CacheRefreshInterval is set up with 1500 secs (25 mins) to refresh the local cache with the Cyberark every 25 mins.

As Cyberark can change the password at any minute or secs of time, SL1 still waits for CacheRefreshInterval to refresh the password. As polling frequencies are default set with 5 minutes(with password change happening at the 4th minute), often SL1 still reaches the server with old password and cause account lockouts.


Is there a known way to tackle this issue?

    1 reply

    J
    • JohnProctor
    • Employee
    • October 23, 2024

    The Cache Refresh Interval is a parameter of the CyberArk Credential Provider. It is not something that is managed or configured by ScienceLogic. The CyberArk documentation provides instructions on how to change it.

    Aimparms installation file for CP
    https://docs.cyberark.com/credential-providers/latest/en/content/cp%20and%20ascp/aimparms-installation-file.htm?tocpath=Installation%7CCredential%20Provider%20(CP)%7CInstall%20the%20Credential%20Provider%7CInstall%20Credential%20Provider%20on%20Linux%20%252F%20AIX%7CBefore%20installation%7C_____1#CP

    The CyberArk documentation also describe the behavior of the Credential Provider during password changes. 

    Synchronize automatic password changes with the Credential Provider
    https://docs.cyberark.com/credential-providers/latest/en/content/ccp/controlling-application-passwords-change-processes.htm?Highlight=password%20change%20process#SynchronizeautomaticpasswordchangeswiththeCredentialProvider

    Given that use of SL1 and CyberArk are often unique, tuning of the CyberArk parameters may be required. CyberArk can assist with tuning the Vault and Credential Provider to address this issue.

    You might also inquiry with CyberArk how to reduce the timeframe for which password changes occur so that a corresponding maintenance interval can be scheduled within SL1 so that collection is suspended during password changes. There are parameters like ExecutionDays, FromHour, and ToHour that might help narrow the time interval for which password changes occur.

      Terms & ConditionsAccessibility statement