- Notes, cautions, and warnings
- Revision history
- Preface
- Overview
- Deployment
- Getting started
- System configuration
- Configure network settings
- Manage users, roles, and scopes
- Ending user sessions
- Directory services integration
- Login using OIDC providers
- Security certificates
- Manage console settings
- Set the login security properties
- Customize the alert display
- Configure SMTP, SNMP, and Syslog
- Manage incoming alerts
- Manage warranty settings
- Configure remote commands and scripts
- OpenManage Mobile settings
- Enable or disable alert notifications for OpenManage Mobile
- Enable or disable OpenManage Mobile subscribers
- Delete an OpenManage Mobile subscriber
- View the alert notification service status
- Notification service status
- View information about OpenManage Mobile subscribers
- OpenManage Mobile subscriber information
- Troubleshooting OpenManage Mobile
- Discovering devices
- Server-initiated discovery
- Create a device discovery job
- Protocol support matrix for discovering devices
- View device discovery job details
- Edit a device discovery job
- Run a device discovery job
- Stop a device discovery job
- Discover multiple devices by .csv import
- Global exclusion of ranges
- Specify a discovery mode for server discovery
- Create a custom discovery job for servers
- Specify discovery mode for chassis discovery
- Create a custom discovery job for the chassis
- Specify discovery mode for Dell storage discovery
- Specify discovery mode for network switch discovery
- Create a custom discovery job for HTTPS storage devices
- Create a custom discovery job for SSH devices
- Create a custom discovery job for SNMP devices
- Specify the discovery mode for multiple discovery jobs
- Delete a device discovery job
- Managing devices and device groups
- Organize devices into groups
- Create a custom static or query group
- Create a static device group
- Create a query device group
- Edit a static group
- Edit a query group
- Rename a static or query group
- Delete a static or query device group
- Clone a static or query group
- Add devices to a new group
- Add devices to existing group
- Refresh health on group
- All Devices screen device list
- All Devices screen actions
- Delete devices from OpenManage Enterprise
- Exclude devices from OpenManage Enterprise
- Run inventory on devices
- Update the device firmware and drivers by using baselines
- Refresh the device health of a device group
- Refresh health on devices
- Roll back an individual device's firmware version
- Export the single device inventory
- Performing more actions on chassis and servers
- Hardware information displayed for MX7000 chassis
- Export data
- View and configure individual devices
- Organize devices into groups
- Managing device inventory
- Managing device firmware and drivers
- Managing device deployment templates
- Create a deployment template from a reference device
- Create a deployment template by importing a template file
- View a deployment template information
- Edit a server deployment template
- Edit a chassis deployment template
- Edit IOA deployment template
- Edit network properties of a deployment template
- Deploy device deployment templates
- Deploy IOA deployment templates
- Clone deployment templates
- Auto deploy device configuration before discovery
- Create auto deployment targets
- Delete auto deployment targets
- Export auto deployed target details
- Overview of stateless deployment
- Define networks
- Edit or delete a configured network
- Export VLAN definitions
- Import network definitions
- Managing device warranty
- Managing alerts
- Managing MIB files
- Configuring profiles
- Configuration compliance
- Using jobs for device control
- Monitoring audit logs
- Monitoring reports
- Back up, restore, or migrate
- Updating the console and plugins
- Managing plugins
- Troubleshooting
- Troubleshooting connectivity
- Firmware and DSU requirements for HTTPS
- Firmware schedule reference
- Firmware baseline field definitions
- Supported and unsupported actions on proxied sleds
- Schedule job field definitions
- Alert categories after EEMI relocation
- Token substitution in remote scripts and alert policy
- Catalog Management field definitions
- Devices with unknown compliance status
- Device rediscovery running for a long time after deleting iDRAC service account
- Dell Connectivity Service : Failed with exception: Unable to get access token from DCS
OpenManage Enterprise 4.0.x User's Guide
Enable CyberArk integration for password management
OpenManage Enterprise offers integration with CyberArk, a third-party identity management system, to manage privileged credentials in secure vaults for enhanced security and access control. This guide outlines the steps to integrate a CyberArk Privileged Access Manager (PAM) (deployed on-site using self-hosted architecture) with OpenManage Enterprise. See the CyberArk Documentation for more details.
Prerequisites
- CyberArk integration is only available on devices with the OpenManage Enterprise Advanced+ license.
- Ensure that the target devices are onboarded within a single CyberArk safe. OpenManage Enterprise supports one safe.
- Only local iDRAC passwords can be rotated using CyberArk. Accounts that are managed using directory services like active directory and LDAP cannot be used with CyberArk integration.
- Ensure that the appliance is accessible to the Central Credential Provider Host.
Steps
To enable CyberArk password rotation:
- Select Enable CyberArk Integration to enable CyberArk integration. Once Cyberark is enabled, the appliance retrieve the credentials for iDRACs, which are already configured in the CyberArk.
- Click Export to generate a downloadable list of iDRACs eligible for this feature.
- Click Upload to upload the certificate that is used for authenticating the Central Credential Provider Host to the appliance. Only Certificate-Based Authentication is supported.
- Enter the Central Credential Provider Host IPv4 address or FQDN and Port #.
- Enter the Application ID assigned to the appliance from CyberArk to provide a single sign-on to mobile applications.
- Enter the Safe name to allow the appliance to locate the required iDRAC credentials.
- Select an IP address, FQDN, or Service Tag to decide how credentials are retrieved. Confirm that the account name configured for iDRACs on Password Vault Web Access (PVWA) matches the IP address, FQDN, or Service Tag. This value is based on the chosen value for the Retrieve Credentials By field.
- Click Test Connection to verify that the appliance can access and authenticate the central credential provider host. Testing the connection fails when CyberArk is configured without any accounts that are added in the Password Vault Web Access (PVWA).
- Click Apply to save the changes or click Discard to reset the settings to the previous values.
Results
To disable CyberArk integration, clear the Enable CyberArk Integration check box and click Apply. All saved discovery jobs are triggered to ensure that the eligible devices have the appropriate credentials.
NOTE:
Important things to consider when enabling CyberArk Integration:
- Ensure proper configuration of CyberArk to prevent disruptions in accessing iDRAC devices through OpenManage Enterprise. Dell Technologies is not responsible for CyberArk software. As a customer of CyberArk, you are responsible for your business, technical, and support relationship with CyberArk. Ensure that you work directly with CyberArk for installing, testing functionality and scalability and the overall management of their software.
- When using CyberArk to manage device credentials, OpenManage Enterprise periodically retrieves passwords from the vault before performing specific tasks. If the retrieval process fails due to vault inaccessibility, incorrect credentials, or ongoing rotation, device tasks also fail, causing the device to enter an unknown state.
- Whenever OpenManage Enterprise cannot connect to a device, an internal event CDEV6131 is generated. If you observe such events for CyberArk managed devices, inform your CyberArk administrator to determine whether the correct credentials are being retrieved.
- When a device managed by CyberArk is discovered with new credentials, the credential type changes to 'discovery.' However, any tasks that are initiated from the appliance on the device use CyberArk credentials.
- Disable CyberArk password management for a specific iDRAC by removing the device account from CyberArk and rediscovering it in OpenManage Enterprise for updated credentials in all management operations.
Related references
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\