CyberArk AIM Vault

It's easy to store your passwords and other sensitive information using your CyberArk AIM solution and use them for authentication.

Good to Know

CyberArk Central Credential Provider (CCP) is required.

You can request this sensitive information from your CyberArk AIM solution:
- Login Password (all supported authentication types)
- Private Key and Private Key Passphrase (Unix, PostgreSQL, MongoDB only)
- Root Delegation Password (Unix only)

Quick Links

CyberArk AIM Integration Guide PDF Icon | Vault Support Matrix


- Leading and/or trailing space or periods in the input value will be removed.

- These restricted words cannot be included: Users, Addresses, Areas, XUserRules, unknown, Locations, Safes, Schedule, VaultCategories, Builtin.

- These special characters cannot be included: \ / : * ? " < > | \t \r \n \x1F.

- Leading and/or trailing space in the input value will be removed.

- These special characters cannot be included: \ / : * ? " < > | \t \r \n \x1F)

The certificate stores the base64-encoded client X.509 certificate in PEM format. The private key stores base64-encoded client private key that corresponds to the public key stored in the certificate.




Using variables in the vault folder or file name

You can use one or more variables when defining the folder name or file name in order to match several targets that use the same naming convention. During the scan, we'll match the variables to hosts that are already defined in the vault.

Important - When using variables to gather credentials from a CyberArk AIM vault, be sure the scanner appliance used for the scan job has scanner version 11.8 or later. Authentication will fail if the scanner appliance has an older version because the scanner will not be able to resolve the variables in your authentication record to actual values. Not sure which scanner version is on your appliance? Go to the Scans > Appliances list to see the version for each appliance and update the version if needed.


Let's say you have these 4 devices in your CyberArk AIM vault:

You’ll need to create 2 records with the following configuration.

Record 1: ${dnshost} (matches

Record 2: ${host}-${ip_dash} (matches host40-10-20-30-40, host80-10-50-60-70, host12-10-30-10-12)