Integrating CyberArk with LoadGen enhances security by managing sensitive credentials for LoadGen's operation. CyberArk's robust system securely stores and manages privileged account credentials, crucial for LoadGen's automated testing processes. This guide details the steps to integrate CyberArk within your LoadGen environment.
This document outlines the steps to integrate CyberArk with LoadGen for secure credential management. CyberArk is a security solution that manages privileged accounts and sessions, providing secure storage and access to sensitive data like passwords and keys.
LoadGen User Types
Within LoadGen's architecture, there are three distinct types of accounts:
- Test users Accounts: Regular user accounts existing in Active Directory, used for simulating user actions and executing performance and functional tests.
- Run as Profile Accounts: Local Windows administrator account or Active Directory domain administrator accounts with elevated privileges to connect to various machines for LoadGen Agents distribution and Systems Under Test (SUT) performance counters retrieval.
- SQL Database Accounts: Configured for SQL database interactions, crucial for storing and managing data generated or used during testing, including test results and configuration data.
For optimal security and functionality, it is critical that all these user accounts are initially set up in LoadGen with placeholder passwords. Upon enabling the CyberArk feature, LoadGen will seamlessly replace these placeholders with the actual passwords fetched from your CyberArk Vault as needed. This ensures that sensitive credentials are managed securely and are only used when necessary. It's imperative to note that the system cannot operate in a mixed mode; every user within the active load profile must be replicated in the CyberArk Vault with corresponding credentials to maintain system integrity and testing accuracy.
Installation of CyberArk Credential Provider Service
The CyberArk service must be installed on the LoadGen environment. Follow these steps:
- Install the CyberArk Credential Provider on the server that will host the LoadGen Suite (if you split the LoadGen components.
- Install the CyberArk Credential Provider on the machines that will host the LoadGen Agent (optional).
- Execute the installation wizard, selecting only the necessary components based on your LoadGen environment requirements.
- Read more about installing the CyberArk Credential Provider service in this article.
Setting Up CyberArk Safe for LoadGen Integration
Configuring a CyberArk Safe correctly is crucial for the secure management of credentials within the LoadGen framework:
- Access the CyberArk Vault by logging in with your administrative credentials.
- Navigate to the 'Policies' section, where you'll find an option for 'Safes'. Here you will create a new Safe specifically for LoadGen.
- Click on 'Safes', and then choose to create a new Safe. Assign it to the Central Policy Manager (CPM) with 'PasswordManager' as the designated CPM.
- Provide a distinctive name for your Safe, which will help you to identify it as the repository for LoadGen credentials.
- Now, select members for the Safe. These should be the machine names where LoadGen components are installed, and where the CyberArk Credential Provider Service has been successfully installed and registered.
- Ensure that each member machine has the correct permissions set within the Safe. This typically involves granting access rights that align with the operational requirements of LoadGen components on those machines.
By meticulously setting up a Safe in CyberArk and defining its members and permissions, you create a secure container for LoadGen credentials. This enables LoadGen to interact with CyberArk and manage credentials securely, which is a foundational aspect of safeguarding your automated testing processes.
Registering LoadGen Suite in CyberArk Vault
To integrate LoadGen with CyberArk for secure credential fetching, follow these steps to register LoadGen as an application within CyberArk:
- Open the CyberArk Vault interface and navigate to the 'Applications' section.
- Click on 'Add Application'. A dialog box appears prompting you to enter the application details. Fill in the following fields in the dialog box:
- Name: Enter a unique name for the LoadGen Suite application.
- Description: Provide a brief description of the application and its purpose.
- Business owner: Enter the contact details of the person responsible for this application within your organization. This includes their first name, last name, email, and phone number.
- Location: Select the geographical or logical location of the application if your organization uses such categorizations.
- Access Permitted: Set the time frame for which the application will have access to the Vault, if applicable.
- Expiration Date: Specify if there’s an expiration date for the application's access to the Vault.
- Disabled: Check this option if you wish to disable the application temporarily.
- After filling in the required information, click 'Add' to register the LoadGen Suite as an application within the CyberArk Vault.
- Once the application is created, proceed to define which users and machines are allowed to use this application. This involves adding authorized users and the specific machines where LoadGen components are installed under the 'Allowed Users' and 'Allowed Machines' sections of the application settings.
By completing these steps, LoadGen Suite will be registered as an application in CyberArk, enabling it to securely retrieve the necessary credentials for your automated testing environment. This ensures that sensitive data such as passwords are handled in a secure manner, in line with your organization’s security policies.
Adding Users to the CyberArk Vault for LoadGen Integration
For a seamless integration of LoadGen with CyberArk, it's crucial to create and map users in the CyberArk vault that correspond to the LoadGen users. Here's how you can add these users to the CyberArk vault:
- Access the CyberArk Vault:
- Navigate to the Accounts section within your CyberArk Vault.
- Create a New Account:
- Click on the option to 'Create new account'.
- For the platform, select 'Windows Domain Account' if the users are part of an Active Directory Domain. Alternatively, select a local machine account type if the users are local to a specific machine.
- Enter Account Details:
- Address: Input the Active Directory Domain Name or the local machine name. This must be an exact match with the accounts in LoadGen and correspond to where you want the test connections to occur.
- Username: Add the username as it exists in LoadGen or your infrastructure.
- Password: Enter the user's password and confirm it in the provided fields.
- Select the Correct Safe:
- After entering the account details, proceed to the next step where you can select the appropriate Safe in which the account will be stored.
- Ensure that this Safe is the same as the one specified in the LoadGen configuration.
- Finalize the Account Creation:
- Once you have entered all the necessary information and selected the correct Safe, click 'Finish' to complete the account creation process.
Configuring LoadGen for CyberArk Credential Management
To securely manage credentials with CyberArk in LoadGen Director and on LoadGen Agents, follow these steps:
- Launch LoadGen Director:
- Open the LoadGen Director and access the 'Tools' menu.
- Select 'LoadGen Options' to open the settings window.
- Navigate to Security Settings:
- Click on the 'Security' tab to access security-related configurations.
- Enable CyberArk Integration:
- Check the box labeled 'Use CyberArk' to enable CyberArk integration.
- Enter Mandatory CyberArk Details:
- AppId: Input the Application ID as defined in CyberArk. This ID uniquely identifies the LoadGen application within CyberArk.
- Safe: Specify the name of the Safe where LoadGen credentials are stored in CyberArk.
- Configure Optional Settings:
- Run as Profile folder name: Define the folder for 'Run as Profile' accounts within the Safe. Leave blank for the root folder.
- SQL users folder name: Enter the folder for SQL user accounts, or leave empty to default to the root folder.
- Test users folder name: Specify the folder for test user accounts, or use the root folder by default.
Activate CyberArk on LoadGen Agents (Optional)
If you wish to enable CyberArk integration directly on LoadGen Agents for independent credential retrieval, check the option 'Activate CyberArk on LoadGen Agents'. This option allows LoadGen Agents to independently connect to the CyberArk Credential Provider Service for password retrieval, enhancing security in environments where Agents are in isolated or physically secured locations.
- Verify User Connections:
- Click 'Check Users' to ensure connectivity and accessibility of user accounts within CyberArk.
- If all credentials are correctly retrieved and verified, save your settings by clicking the green check mark.
By following these steps, LoadGen will be seamlessly integrated with CyberArk, enhancing the security and management efficiency of credentials in your automated testing processes. This setup ensures that sensitive data is securely handled by both the LoadGen Director and individual LoadGen Agents.
Validating User Credentials in LoadGen with CyberArk
To confirm that LoadGen users are correctly linked to CyberArk:
- Open the LoadGen Director and navigate to the 'Tools' menu.
- Choose 'LoadGen Options' and proceed to the 'Security' tab.
- Click on 'Check Users' to fetch the list of users from LoadGen.
- After retrieving the users, select 'Perform password check' to test the connectivity and validate that all user credentials are retrievable from your CyberArk Vault.
- If any users are missing in CyberArk, proceed to add them to ensure seamless credential management for LoadGen operations.
Distributing Configuration Across LoadGen Components
If you have a distributed LoadGen environment with Director, Studio, or Analyzer on separate machines, it's important to propagate the CyberArk settings across all installations.
- Locate the Options.xml file on the initial installation server, typically found in %ProgramData%\LoadGen\.
- Copy this file to the corresponding directory on each machine that has LoadGen software installed.
- Ensure that each instance of LoadGen has access to the same CyberArk settings for consistent credential management.