# Integrating with CyberArk® Secrets Manager, Self-Hosted CyberArk® Secrets Manager, Self-Hosted offers an enterprise-grade secrets management solution that provides a secure, centralized vault for storing and managing credentials like passwords, API keys, and tokens. Integrating ThousandEyes with your CyberArk® Secrets Manager, Self-Hosted vault addresses critical security and compliance needs for enterprise organizations. Key use cases include: * **Enhanced Security:** Credentials are dynamically fetched at test runtime by Enterprise Agents within your network. Sensitive secrets are never stored, cached, or logged by the ThousandEyes platform, reducing the attack surface. * **Compliance Adherence:** Meets strict compliance mandates (such as FedRAMP®, ISO 27001, and SOX) that prohibit storing secrets in third-party cloud platforms. * **Centralized Management:** Simplifies credential management. When a secret is rotated in your vault, ThousandEyes tests automatically use the updated credential without requiring manual updates, reducing operational overhead and the risk of error. This document outlines how to integrate ThousandEyes with your CyberArk® Secrets Manager, Self-Hosted vault. For more information about the CyberArk® vault, see the [CyberArk® Secrets Manager, Self-Hosted Documentation](https://docs.cyberark.com/conjur-enterprise/latest/en/content/resources/_topnav/cc_home.htm). This integration uses the Integrations 2.0 framework, which requires configuring a **Connector** to establish the secure link to your vault and an **Operation** to define which credential to retrieve. ## Configuring the Integration Configuration requires a role with the `INTEGRATIONS ALL UPDATE` permission, such as the built-in Account Admin role. To create the CyberArk® integration: 1. [Create a CyberArk® Connector](#create-a-cyberark-connector) 2. [Create a Credential Vault Operation](#create-a-credential-vault-operation) ### Create a CyberArk® Connector The connector defines the connection details and authentication credentials for your CyberArk® Secrets Manager, Self-Hosted instance. 1. Navigate to **Integrations > Integrations 2.0** and click **New Connector**. 2. Choose **CyberArk® Secrets Manager, Self-Hosted** from the list of integrations in the side modal that appears. 3. Fill in the connector fields to configure the connection to your vault. See [Example Configuration](#example-configuration). 4. Click **Save and Assign Operation**. After saving, you will be automatically directed to the **Add Operation** screen. {% hint style="info" %} There is no **Test** button for this configuration. Because CyberArk® Secrets Manager, Self-Hosted instances are typically not internet-facing, the ThousandEyes platform cannot directly validate the connection details from the UI. Verification occurs when an Enterprise Agent attempts to retrieve a credential during a test run. {% endhint %} \#### Example Configuration Use the table below as a guide for filling in the connector fields. The example values correspond to a host defined in CyberArk® Secrets Manager, Self-Hosted at a URL like `https://cyberark-follower.acme.com/authn/acme/myapp/hosts/te-webapp`. | Field | Example Value | Description | | ---------------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Connector Name** | `CyberArk-Prod-Vault` | A descriptive name for your reference in ThousandEyes. | | **CyberArk Server Hostname** | `https://cyberark.acme.com` | The base URL of your CyberArk® Secrets Manager, Self-Hosted server. | | **Account** | `acme` | Your organization's account name in CyberArk® Secrets Manager, Self-Hosted. | | **Host ID** | `myapp/hosts/te-webapp` | The unique identifier for the host that ThousandEyes will use to authenticate. Enter the host identity without the `host/` prefix, the system adds it automatically. | | **API Key** | `******************` | The API key associated with the Host ID. | For detailed instructions on how to create a Host and retrieve its API key within your environment, refer to the [CyberArk® Secrets Manager, Self-Hosted Documentation](https://docs.cyberark.com/conjur-enterprise/latest/en/content/resources/_topnav/cc_home.htm). ### Create a Credential Vault Operation The operation defines the specific credentials that ThousandEyes can retrieve from your vault. 1. From the **Operations** tab, click **New Operation**. The **Add Operation** side panel opens. 2. Select **Credential Vault** from the list of available operation types. 3. Fill in the following fields: * **Operation Name**: A descriptive name for the operation (such as `Retrieve-API-Test-Secret`). * **Credential Name**: A user-friendly name for the credential that will appear in test settings (such as `WebApp Login`). * **Credential Identifier**: The full path to the secret within your CyberArk® vault (such as `path/to/my/secret`). This tells the Enterprise Agent which secret to fetch. 4. Enter **Credential Name** and **Credential Identifier** pairs for each credential from your vault you would like to use to run your tests. 5. Click **Save and Assign Connector**. 6. Select your CyberArk® connector and click **Save**. If you do not have a CyberArk® connector, see the section [Create a CyberArk® Connector](#create-a-cyberark-connector) for instructions on how to create one. Your integration is now configured. You can repeat the operation steps to define additional credentials from your vault. ## Managing and Deleting Credentials To ensure test integrity, ThousandEyes provides a safe workflow for deleting credentials that are currently in use. If you attempt to delete a credential from a Credential Vault operation that is still being used by one or more tests, a confirmation dialog appears. This dialog lists all the tests that are currently assigned to that credential. To prevent these tests from failing unexpectedly, the **Disable the assigned tests** option is selected by default. If you proceed with the deletion while this option is checked, the credential will be removed, and all associated tests will be automatically disabled. You can deselect this option if you prefer to manage the tests manually after deleting the credential. ## Updating Test Settings to Use the Credential Vault Once the integration is configured, you can update your tests to use credentials stored in your CyberArk Secrets Manager, Self-Hosted vault. To do this, navigate to the settings for a supported test, locate the relevant authentication field, and click the **key icon** to select a credential from your vault. Below are the specific fields where Credential Vault integration is supported for each test type. {% hint style="info" %} This feature is only supported on **Enterprise Agents** with the **Credential Vault Accessor** module enabled. You can enable the module either through [Working with Agent Settings](https://docs.thousandeyes.com/product-documentation/global-vantage-points/working-with-agent-settings#agent-modules) or when configuring test settings. Cloud Agents cannot be used because they are internet-facing and cannot reach internal, non-internet-facing CyberArk instances. Enterprise Agents shared across multiple account groups are not supported at this time. The supported Enterprise Agent types for this integration are Docker, Linux Package Agents, ThousandEyes Virtual Appliance (TEVA), and ThousandEyes Physical Appliance (TEPA). {% endhint %} #### HTTP Server Test Navigate to the **HTTP Authentication** tab. You can use a vault credential in the following fields: * **Basic Authentication**: **Username** and **Password** fields. * **NTLM Authentication**: **Username** and **Password** fields. #### Page Load Test Navigate to the **HTTP Authentication** tab. You can use a vault credential in the following fields: * **Basic Authentication**: **Username** and **Password** fields. * **NTLM Authentication**: **Username** and **Password** fields. #### Transaction Test In the **Transaction Script** editor, you can use the vault credential in place of a static credential from the built-in credential repository. Use the following field: * **Secret** field. #### API Test Navigate to the **Authentication** tab. You can use a vault credential in the following fields: * **Basic Authentication**: **Username** and **Password** fields. * **OAuth 2.0**: **Client Secret** field. * **API Key / Bearer Token**: **Bearer Token** field. ### Using Multiple Secrets in Transaction and API Tests For advanced use cases, Transaction and API tests support referencing multiple secrets from a single Credential Vault operation within the same script. This allows you to manage different credentials (e.g., a username, a password, and an API key) in your vault and call them independently as needed. To use this feature: 1. Define each secret as a separate **Credential Name** and **Credential Identifier** pair within a single Credential Vault operation. 2. In your test script, use the `credentials.get()` command to retrieve the secret by its **Credential Name**. **Example Transaction Script:** ```javascript import { By } from 'selenium-webdriver'; import { driver, credentials } from 'thousandeyes'; const username = credentials.get('WebApp Login'); const password = credentials.get('WebApp Password'); const apiKey = credentials.get('Backend API Key'); await driver.findElement(By.id('username')).sendKeys(username); await driver.findElement(By.id('password')).sendKeys(password); // ... make an API call with the apiKey ``` For more information on scripting, see the [Transaction Tests](https://docs.thousandeyes.com/product-documentation/browser-synthetics/transaction-tests/transaction-scripting-reference) and [API Tests](https://docs.thousandeyes.com/product-documentation/tests/api-tests/using-the-step-builder) documentation. ## Credential Vault Agent Compatibility ThousandEyes enforces agent compatibility to ensure that tests using Credential Vault credentials are only assigned to agents that support the feature. This logic is applied in two primary workflows to prevent misconfigurations: **1. Assigning Agents from Test Settings** When you are creating or editing a test that uses a vault credential: * The **Agents** selection dropdown is automatically filtered to show only compatible Enterprise Agents. * If you assign an incompatible agent (such as a Cloud Agent or Raspberry Pi agent) *before* adding the vault credential, the platform will prompt you to remove the incompatible agents when you save the test. **2. Assigning Tests from Agent Settings** You can also assign tests to a specific agent by navigating to **Cloud & Enterprise Agents > Agent Settings**, selecting an agent, and going to the **Tests** tab. * If the selected agent is incompatible with the Credential Vault feature, any tests that use vault credentials will be hidden from the list of assignable tests. This prevents you from assigning a vault-enabled test to an unsupported agent. ### Impact of Disabling the Credential Vault Accessor If you attempt to disable the **Credential Vault Accessor** module on an Enterprise Agent that is currently assigned to one or more tests using vault credentials, a warning dialog will appear. Disabling the module will not delete or alter the test configurations, but those specific tests will no longer be able to run on that agent. If you proceed with disabling the module, the affected tests will stop executing on the agent until the module is re-enabled. ## Frequently Asked Questions (FAQ) **Q: Is this integration secure?** A: Yes. Credentials are never stored in ThousandEyes. They are fetched in real-time by your Enterprise Agent over an encrypted, authenticated API call and are only held in memory for the duration of the test execution. All access is governed by your organization's policies in CyberArk. **Q: Will the actual credential values appear in test configurations or logs?** A: No. Only the reference name for the credential (the **Credential Name** you defined) is visible in the ThousandEyes UI and API responses. The secret itself is never exposed. **Q: Does this support credential rotation?** A: Yes. Because credentials are fetched dynamically at runtime, you can rotate secrets in your CyberArk vault according to your security policies. ThousandEyes tests will automatically retrieve the updated secret on the next run without any changes to the test configuration. **Q: What happens if an Enterprise Agent fails to retrieve a credential?** A: If the agent cannot connect to the vault or retrieve the secret (for example, due to incorrect connector settings, network issues, or invalid permissions in CyberArk), the test will fail. The test results will display an error message indicating that it was unable to access the credential. **Q: Which test types support this integration?** A: In this initial release, the integration is supported for the following test types: * HTTP Server * Page Load * Transaction * API **Q: Which CyberArk products are supported?** A: Only CyberArk® Secrets Manager, Self-Hosted (Conjur Enterprise) is supported. CyberArk CCP (Central Credential Provider), PAM (Privileged Access Manager), and Conjur Cloud (SaaS) are not supported at this time. ## Troubleshooting and Error Messages This section explains common error messages and behaviors you may encounter in the ThousandEyes UI when configuring the Credential Vault. ### Test Settings - Agent Selector * **Cloud Agents Tab Disabled:** When configuring a test, you may see the **Cloud Agents** tab disabled with the tooltip `Cloud Agents cannot be used with Credential Vault Accessor`. This occurs because Cloud Agents are internet-facing and cannot securely access internal, self-hosted vaults. * **Filtered Agent List:** When a vault credential is selected for a test, a message appears in the agent selector: `Only showing agents that can be used with Credential Vault Accessor`. The list automatically filters out incompatible agents (such as those without the module enabled or unsupported hardware). ### Test Settings - Saving a Test * **Incompatible Agent Error:** If you attempt to save a test where an incompatible agent is assigned, you will see the error: `Enterprise Agents assigned to this test cannot be used with Credential Vault Accessor`. You must remove the incompatible agents to proceed. * **Module Enablement Confirmation:** If you assign a compatible agent that simply hasn't had the module turned on yet, a confirmation dialog will appear: `Enterprise Agents will be enabled to use Credential Vault Accessor`. Clicking confirm will automatically enable the module on those agents. * **Permissions Error:** If you do not have the necessary permissions to modify an agent's configuration, you may see: `Agent cannot be used with vault due to permissions issue`. Contact your administrator to adjust your permissions or enable the module on the agent. ### Agent Settings - Assigning Tests * **Incompatible Agent Warning:** When manually assigning tests to a specific agent in **Agent Settings**, if the agent is incompatible (e.g., a Raspberry Pi), you will see: `This agent does not support Credential Vault Accessor. Remove tests configured with vault(s).`. * **Bulk Edit Error:** When bulk-editing tests for multiple agents, if some selected agents are incompatible, an error appears at the top of the screen: `X Agents are not available for credential vault.` The incompatible agents will not be assigned the test. ### Test Views * **Credential Failure Links:** If a test fails specifically due to a credential retrieval issue (e.g., the agent could not reach the vault), the error message in the **Test View** will include a direct link to the specific vault/secret configuration in the **Integrations** page. This allows you to quickly verify your connector and operation settings. *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.thousandeyes.com/product-documentation/integration-guides/custom-built-integrations/cyberark.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.