We're updating some of our product names. Nintex Kryon RPA will soon be Nintex RPA. You may see both product names in our help pages while we make this change.

CyberArk

CyberArk is a Privileged Access Management (PAM) tool that securely manages confidential data. CyberArk created a Digital Vault that stores data in an existing network perimeter with eight layers of security. By integrating our RPA solution with their CyberArk Vault, we can now provide you with a higher level of data security to protect your passwords.

You can now manage your credentials from Console Plus due to the new integration of the CyberArk Vault. This is optional and an alternative to Nintex's proprietary Logon Expert in the Credentials Vault.

Prerequisites

To complete this tutorial, you need the following:

CyberArk account authentication details

If you are upgrading from a previous version, contact Nintex RPA Support Team to configure the CyberArk Vault into the Nintex RPA OS.
Console Plus

Although the Credentials Vault can be accessed from the Studio, Admin Tool Tool, or Console Plus. OS management can only be done from Console Plus.

Configuration

To use CyberArk Vault integration, these configurations need to be done on the server-side and will need support team assistance.

To configure parameters on the server-side:

In config\prod\general\feature-toggles.json, set secretsManagement to True.
In config\prod\general\cyberark-vault-direct.json, set the configuration of how to connect to CyberArk from the Robot:

{

"apiUrl": "https://{customer-cyberark-server-address}/AIMWebService/api/Accounts"

"appId": "{kryon application name in CyberArk of customer}"

"safeName": "{kryon safe name in CyberArk of customer}"

"sslType": "{ SystemDefault / Ssl3 / Tls / Tls11 / Tls12}"

"unsafeSSL": true/false

}

To configure parameters on the Robot client-side which have default values:

Set the parameters in kryon-rpa-client-default.json:
1. "secretCacheTimeoutInSeconds" – The TTL for the secret cache, default is 300 (5mins).
2. “failFetchTaskOnInvalidSecret” – Whether to block the fetch task if the secret isn’t valid, default is true.
Log in to the Aerobase console.
Go to Clients (under Configure on the left pane).
Check that the kryon-secrets, kryon-secrets-admin, and kryon-secrets-reader clients don't exist.

If you see any of them present, delete them and close the Aerobase console.
Run PowerShell as an administrator.
CD to:

{installation-drive}\:{brandName}\installer-assets\config\prod\scripts
Run this command:

.\configureAll.ps1 -h " Run {installation-drive}\:{brandName}\" (ex: .\configureAll.ps1 -h "C:\Nintex")

Add CyberArk Credentials

To add CyberArk OS credential to Console Plus:

Log in to Console Plus. See Accessing Console Plus
Select Settings from the left Navigation menu.
Click Manage by the OS credential type.

The Credentials vault opens to the OS tab.
Click +Add credential.
Fill out the required Vault Details fields.

Make sure to fill in the correct CyberArk account name, Domain, and User Name. They need to match for the integration to work properly.

Failure to do so will result in errors, listed in Error Troubleshooting.

The new OS credential appears in the Credentials vault list.

The Robot will now attempt to create the connection to CyberArk. In the event that you receive an error message, see Error Troubleshooting.

It takes approximately 300 seconds for the changes in the CyberArk account to take effect on the Robot.