Configuring the agent to work with a password vault

Configure dynamic agents to work with a password vault by creating a dedicated profile.

About this task

Enhance your password management by configuring dynamic agents to function as proxies to password vaults. You can use a password vault of your choice. If you prefer to use CyberArk, see Configuring the agent to work with CyberArk.
Perform the following steps:
  1. Prerequisistes check:
    • Ensure all HCL Workload Automation components are at version 10.2.4 or later.
    • Ensure at least one profile is present on each agent acting as a proxy.
    • The profile is created automatically if you are upgrading from version 10.2.1 and later, otherwise it must be created manually.
    • In a z/OS environment, a dynamic domain manager is required.
    • If you are using pools, make sure all agents within the pool are correctly configured to integrate with CyberArk. Additionally, verify that all profiles on all agents are identical.
  2. Create a Profile: On the agent, create a profile located in /home/TWA_DATA_DIR/integrations/vault-profiles using a flat-text editor. If you name the profile default, it is selected automatically if no profile is specified in the job definition. You can create multiple profiles for the same password vault or for different password vaults to meet different requirements.
  3. Specify Parameters: The profile must contain the following parameters:
    [VaultProfile.Common]
Type = 
Description =
PasswordSolver = 
ConfigFile =
    where
    Type
    Specify the type of password vault to be used. This parameter is a string, and no validations are performed on its contents.
    Description
    Optionally write a description for the profile.
    PasswordSolver
    Contains the path to the password vault libraries. Alternatively, you can specify the absolute path to a script that retrieves the desired password from the password vault of your choice. This absolute path is consistent and independent of the current working directory, no matter where the file is located within the agent's file system.
    If you plan to use a script to integrate with a password vault rather than a library, you have to write a dedicated script and ensure it returns a string containing the value of the password to be used in the job.
    ConfigFile
    Specify the name and path of the configuration file for the password vault. Alternatively, you can insert the whole configuration file directly in this parameter.
  4. Job definition creation: Specify the desired profile when creating the job definition. If you do not specify a profile in the job definition, the default profile is used. For more information about creating the job definition so that the password is retrieved from a password vault, see Obtaining passwords from password vaults.