Is this possible? If so, are there best practices or a document describing how to set this up?
nope, this is not possible yet. please contact your TAM to have it added as a feature and hopefully we will have enough to push it to the PM.
There is not API integration with Cyber Ark at this time. What exactly would you like to see in this regard? Can you give us an example workflow and how you feel it should work (i.e. a detailed Use Case)? Thanks.
Sure. My use case is to be able to add and remove credentials (windows and unix ) which are stored in pre-existing vaults. So being able to chose which pw vault is used and indicate on creation the ips/domain that the account should be used for authentication.
Would like to be able to update password for API user using API calls. Password would be maintained in our vault and scripts would make API calls and if password were expired, or on a scheduled basis would update password in Qualys for API user account.
This is completely different from the above. THis would require the Qualys Authentication to be handled remotely via API, which is not currently exposed.
This discussion refers to authentication records for scanning, your question refers to Qualysguard authentication itself.
My use case would either be
1) Create a user account for API use that fetches credentials from CyberArk to validate credentials specified in API call by my script
2) Allow my API user account to make API calls and login with credentials, and if they expire, then return an error code; subsequent call would need to allow API call to update to new password requiring old password to be provided.
part 1 of this is currently supported, we are doing it now.
1) We are doing this today with the qualys/cyberark integration. the qualys scanner calls the credentials from the vault and uses them throughout the scan.
2) need more detail here on what you are meaning.
He's not asking for cyberark creds for use during a scan, he wants to manage the Qulays cred used to access the qualys API. Completely different thing. This would be an FR.
ah, in that case something i have thought of using is the following. I cant claim ownership but a smart cyberark evangalist can.
Have 2 qualys API credentials stored in cyberark (assume cred1 and cred2). Since the Qualys API doesnt allow a user to change their own password via the API, you would set cred1 to be the recovery account for cred2 and vice versa. concoct a script such that when cyberark attempts to call for a password change it immediately fails but succeeds in allowing it to change the cred of a different user.
Retrieving data ...