CyberArk credential provider and CacheRefreshInterval timing issues with SL1 polling frequency

Question

Rotation of password by Cyberark and the timespan defined with "CacheRefreshInterval" is causing issues with the polling interval of SL1 DAs.

With CyberArk, the SL1 can source credential data from CyberARK. Respecting security policies, Cybersecurity recommends changing of password to the SL1 IDs. CyberARK can only specify a time frame during which the passwords can be changed. Within the collectors on the Cyberark agent setup CacheRefreshInterval is set up with 1500 secs (25 mins) to refresh the local cache with the Cyberark every 25 mins.

As Cyberark can change the password at any minute or secs of time, SL1 still waits for CacheRefreshInterval to refresh the password. As polling frequencies are default set with 5 minutes(with password change happening at the 4th minute), often SL1 still reaches the server with old password and cause account lockouts.

Is there a known way to tackle this issue?

johnproctor · Answer

The Cache Refresh Interval is a parameter of the CyberArk Credential Provider. It is not something that is managed or configured by ScienceLogic. The CyberArk documentation provides instructions on how to change it.
Aimparms installation file for CPhttps://docs.cyberark.com/credential-providers/latest/en/content/cp%20and%20ascp/aimparms-installation-file.htm?tocpath=Installation%7CCredential%20Provider%20(CP)%7CInstall%20the%20Credential%20Provider%7CInstall%20Credential%20Provider%20on%20Linux%20%252F%20AIX%7CBefore%20installation%7C_____1#CP
The CyberArk documentation also describe the behavior of the Credential Provider during password changes.&nbsp;
Synchronize automatic password changes with the Credential Providerhttps://docs.cyberark.com/credential-providers/latest/en/content/ccp/controlling-application-passwords-change-processes.htm?Highlight=password%20change%20process#SynchronizeautomaticpasswordchangeswiththeCredentialProvider
Given that use of SL1 and CyberArk are often unique, tuning of the CyberArk parameters may be required. CyberArk can assist with tuning the Vault and Credential Provider to address this issue.You might also inquiry with CyberArk how to reduce the timeframe for which password changes occur so that a corresponding maintenance interval can be scheduled within SL1 so that collection is suspended during password changes. There are parameters like ExecutionDays, FromHour, and ToHour that might help narrow the time interval for which password changes occur.

schatte1 · Answer

Hi John,Its great that you brought this up. To that document(Central Credential Provider) SL1 provides documentation for integration with external credential tools like CyberArk with Credential Provider. I am trying to get more into the Credential provider - Single account and Double account password change processes. Which are available with developer (CyberArk). Definitely I will be involving the CyberArk vendor. I appreciate the feedback on this. It will be helpful if SL1 provides the Best practices while using CyberArk credential provider, Polling intervals are critical to SL1 and guidance on those are expected to let clients use tools efficiently. See this....&nbsp;https://docs.cyberark.com/credential-providers/latest/en/content/cp%20and%20ascp/changing-single-account.htm?tocpath=Developer%7CCredential%20Provider%20(CP)%7CApplication%20passwords%20change%20processes%7C_____2&nbsp;The statement "corresponding maintenance interval can be scheduled within SL1 so that collection is suspended" drives me crazy. Should we really opt this as practice where we expect to keep the lights on for operations and monitoring?

Forum Discussion

CyberArk credential provider and CacheRefreshInterval timing issues with SL1 polling frequency

Related Content

Re: Extend Internal Interface collection

Bulk discovery of decentralized Servers

Nexus Community Tip: Managing Follows and Notifications

SL1 Certifications Overview Guide

View the 12.3 CA Release Notes & Getting Started Guide

Recent Discussions

Sending Sub-ID information into incident integration

Poll Summary for specific Dynamic Application

API to get devices aligned to a dynamic app

Suppressing Specific BGP peers

Low Code error when running Dynamic App