Follow

Issue: Venafi Platform 21.3 and below does not work with CyberArk 12.x and higher

Applies to:

Trust Protection Platform version 21.3 or lower
CyberArk Version 12.x or higher

Symptom:

Aperture and WebAdmin return an error when attempting to create CyberArk Credentials:

PDKTU004E Failed to receive data (Reason=[index was outside the bounds of the array.])

In the Windows Credential Provider debug logs, you may see the following error:
APPAP009E Application Password Provider exception occurred. APPAP381E SDK Protocol version is not supported, Please use the updated version (Codes: -1, -1)

Cause:

In Trust Protection Platform 21.3 and below, passwords are retrieved from CyberArk using the Windows Credential Provider (sometimes also referred to as the AIM or AAM Agent), which is a CyberArk agent that is installed on each Trust Protection Platform server.  In order for Venafi software to communicate with the Windows Credential Provider, Venafi leverages the Credential Provider SDK from CyberArk10.x.

In version 12.x of CyberArk Vault, the security architecture between the SDK and the Windows Credential Provider changed so that older versions of the SDK do NOT work with version 12.x of the Windows Credential Provider (ie AAM Agent).

Resolution:

Option 1) Copy the newer version of the CyberArk SDK DLL into the Venafi Program Files

  1. Make sure version 12 of the CyberArk Windows Credential Provider(ie AAM Agent) is installed on all Venafi servers 
  2. Stop all Venafi Windows services on all Venafi servers
  3. Stop IIS on all Venafi servers
  4. Backup the current CyberArk SDK file that Trust Protection Platform ships with:
    C:\Program Files\Venafi\Drivers\Credentials\NetPasswordSDK.dll
    Make sure you are backing it up to a location that is outside of the Venafi installation folder
  5. Copy the v12 of the CyberArk SDK from:
    C:\Program Files\CyberArk\ApplicationPasswordSdk\NetPasswordSDK.dll
    to
    C:\Program Files\Venafi\Drivers\Credentials\NetPasswordSDK.dll
  6. Restart all Venafi Windows services and IIS on all Venafi servers.

Option 2) Keep the Windows Credential Provider on version 11 or lower 

The CyberArk SDK that ships with the Trust Protection Platform is compatible with 9.x through 11.x of the Windows Credential Provider.  If you leave these older versions of the agent installed on the Trust Protection Platform, they can still work with newer versions of the CyberArk Vault services.

 

Option 3) Upgrade to Venafi Trust Protection Platform to 21.4 or higher once released

Venafi Engineering is working to make Trust Protection Platform work with the older and newer versions of CyberArk, as well and providing the option to work with the REST based Central Credential Provider that was introduced in version 10.x of CyberArk Vault.  

Was this article helpful?
0 out of 0 found this helpful

Comments