CredentialManagerConfig.xml file

The CredentialManagerConfig.xml file provides configuration information to the internal Credential Service. The Credential Service provides credentials to the Pega RPA Service, the ASO Manager, and the Credential Store. You specify the provider that you use in the CredentialManager server element in the CommonConfig.xml file.

Note: For more information, see Common configuration settings.

The Credential Service supports the following providers for credentials:

DPAPI – Local credential storage using the Microsoft’s built-in Data Protection Application Programming Interface.
CyberArk - (Available in build 19.1.02 and later) CyberArk’s Privileged Access Security Solution. Pega Robotic Automation interfaces with a client-provided CyberArk system.
BeyondTrust – (Available in build 19.1.27 and later) BeyondTrust’s Password Safe. Pega Robotic Automation interfaces with a client-provided BeyondTrust system.
Client Credential Provider - (Available in build 19.1.13 and later) Enables you to get and set custom credentials using the IClientCredentialProvider interface. There is a sample C# solution in the Extras folder of the install directory that you can use as an example.
Custom – A custom combination of supported providers (DPAPI, BeyondTrust, and CyberArk).

This file is installed with Pega Robot Runtime and is located in the following folder:

C:\ProgramData\Pegasystems\CredentialManagerConfig.xml

The following is an example of the CredentialManagerConfig.xml file:

There are several credential types. You can store all credential types in a single provider or you can distribute them across the available providers. For example, you can store the credentials owned by the Pega RPA Service in CyberArk and store the credentials owned by Pega Robot Runtime in DPAPI. The following credential types are listed by the application that owns them:

Pega RPA Service

RegistrationOperation
WindowsUser
RuntimeUser

Pega Robot Runtime

RegistrationOperator
ASOManager
CredentialStore

Element

Description

Providers

Contains a list of available credential providers. Choose from the following credential providers:

DPAPI
CyberArk
BeyondTrust
Client Credential Provider (you use a mixture of the other credential providers)
Custom (you create your own credential provider)

DPAPI

Element	Description
Providers/Provider name=”DPAPI”	This credential provider has no additional parameters.

CyberArk

Available in build 19.1.02 and later.

Element

Description

Providers/Provider name=”CyberArk”

This credential provider includes the following parameters:

applicationID – Enter the CyberArk ApplicationID that is used to retrieve the credentials. CyberArk ApplicationIDs can be secured using the IP address, OS User name, application path, application hash, and other means. The ApplicationID should be provided by a CyberArk administrator.
adminOperator – Enter a value that can be used as a replaceable value for individual credentials.

Credentials

Lists the individual credentials for CyberArk. When mapping individual credentials, use the following dynamic values, which are determined at runtime:

{AdminOperator}
{RobotName}
{AdapterFriendlyName}

Using dynamic credential values stored in CyberArk can reduce the need for individual customization for each robot. Map credentials to CyberArk based on the following attributes for each credential as provided by a CyberArk administrator. For each credential, include the following information:

safe
folder
objectName
domain (optional)

If CyberArk does not return the domain value where you expect, contact CyberArk to find out where that value is stored. You can then place that value in the domain=domainName property.

The domain= property is not present for every device type. If you are configuring an account as a device type that does not include a domain= property, you can store the domain value in another property and identify that property in the Credential element by using the following format:

domain=”{the name of the property to substitute for domain}”

Credentials/Credential name=”RegistrationOperator”

This credential retrieves the Registration Operator. This name is a reserved name in the system. Include the following information:

safe
folder
objectName

Credentials/Credential name=”WindowsUser”

This credential retrieves the Windows user. This name is a reserved name in the system. Include the following information:

safe
folder
objectName

Credentials/Credential name=”RuntimeUser”

This credential retrieves the Robot Runtime user. This name is a reserved name in the system. Include the following information:

safe
folder
objectName

Credentials/Credential name=”{ASOManagerKey}”

This credential retrieves a value that is defined in the ASO Manager. This name is defined in an adapter credentials property configuration screen. Include the following information:

safe
folder
objectName

Credentials/Credential name=”{CredentialStoreKey}”

This credential retrieves a value that is defined in the Credential Store. The solution developer defines this name and it must include the following information:

safe
folder
objectName

Credentials/Credential name=”Default”

This credential retrieves a value when a request does not match another credential. You can use a credential naming strategy to reduce the need to individually specify credentials. Include the following information:

safe
folder
objectName

The following is an example of how you could use this credential type:

With these settings, each robot would have its own safe and each application credential would have an objectName with the Adapter Friendly Name and the Robot Name separated by a dash. Using this pattern, you can store many credentials in a safe that is only accessible by this robot and you do not need to list these individually.

BeyondTrust

Available in build 19.1.27 and later.

Element	Description
Providers/Provider name=”BeyondTrust”	This credential provider includes the following parameters: *baseUrl - Enter the URL required to access the BeyondTrust server, according to the following pattern: https://server/BeyondTrust/api/public/v3 Where server is the name of your server. Optional custom replaceable name/value pairs. You can define a value that is used throughout the BeyondTrust section and referred to by name in credential entries. The name must appear between braces when used. For example, by entering UserName="Admin" in the provider element, the name can then be used Runas="{UserName}". For BeyondTrust, you can use the following replaceable values: RobotName – The operator ID under which the robot is running. RobotIndex – In a multiple Robot Runtime system, the RobotIndex is assigned by the RPA Service. MachineName – The computer name. CurrentUser – The user who is currently logged in. You can only use this value for ASO Manager and Credential Store credentials. Workgroup – The work group that is assigned to the robot. AdapterFriendlyName – The application key that the ASO Manager or Credential Store provides. To use a replaceable value to provide an attribute, surround the name with braces. For example, to specify the applicationName parameter, use the following format: applicationName="{AdapterFriendlyName}"
Credentials	Lists the individual credentials for BeyondTrust. When mapping individual credentials, use the following dynamic values, which are determined at runtime: {RobotName} {RobotIndex} {MachineName} {CurrentUser} {Workgroup} {AdapterFriendlyName} For each credential, specify the following information: name – The reserved words RegistrationOperator, WindowUser, and RuntimeUser are all valid. The application keys specified by ASO Manager and Credential Store are also valid. Default can also be used for application credentials to provide a catch-all credential definition. systemName – Defines the BeyondTrust asset under which the credentials are stored. workgroup – Optional. If you do not specify a work group or no match is found, the system selects a credential with an empty work group. applicationName – Optional. If you specify an applicationName, this value must match an application defined in BeyondTrust. If you do not specify a value, the system uses the name attribute as the application name. accountNamePostfix – Optional. This value matches the end of an account name and provides a way to differentiate between account names contained by a single asset in BeyondTrust. Postfixes are removed from the account name in returned credentials. runas – A BeyondTrust user that belongs to a group that is authorized to access the credentials using the provided API key. If passwords are required, the runas user must be stored locally using the CredManagerUI application. APIGroup - The name of the API key that the CredManagerUI application stores locally. The API key must be authorized to retrieve this credential.
Credentials/Credential name="RegistrationOperator"	This credential retrieves the Registration Operator and is used by the RPA Service and Robot Runtime. The RegistrationOperator is a reserved name and can only appear once in the BeyondTrust section. Include the following information: systemName applicationName - must be RegistrationOperator runas APIGroup
Credentials/Credential name="WindowsUser"	This credential retrieves the Windows user. The WindowsUser is a reserved name and is used only by the RPA Service. Include the following information: systemName workgroup – optional applicationName - must be WindowsUser runas APIGroup
Credentials/Credential name="RuntimeUser"	This credential retrieves the Windows user that is used to launch Robot Runtime. The RuntimeUser should only be specified when you want Robot Runtime to run under a credential that is not the same as the user who is logged in. This is a reserved name and is used only by the RPA Service. Include the following information: systemName workgroup – optional applicationName - must be RuntimeUser runas APIGroup
Credentials/Credential name="{ASOManager Key}"	Retrieves a credential for an application key defined in the ASO Manager. This application key is only used by Robot Runtime. Include the following information: systemName workgroup – optional applicationName accountNamePostfix – optional runas APIGroup
Credentials/Credential name="{CredentialStore Key}"	Retrieves a credential for an application key defined in the Credential Store. This application key is only used by Robot Runtime. Include the following information: systemName workgroup – optional applicationName accountNamePostfix – optional runas APIGroup
Credentials/Credential name="Default"	The Default credential matches when there is a credential request but no match with a credential name. This credential is only used by Robot Runtime. Include the following information: systemName workgroup – optional applicationName accountNamePostfix – optional runas APIGroup
Available in build 19.1.118 and later.	The following properties were added to the Provider element: matchingMethod - Specifies the matching method for BeyondTrust accounts. Valid values for matching method are: Application - Matching by application name. (Default) AccountName - Matching by account name, either full account name or account name keyword. (Recommended) accountLimit - (optional) Indicates the number of accounts to retrieve with each BeyondTrust API request. If an account is not matched in the current batch, the system retrieves the next batch. The default batch size is 1000. Here is an example of how you could set up a Provider element with these two properties: <Provider name="BeyondTrust" baseURL=https://example.ps.beyondtrustcloud.com/BeyondTrust/api/public/v3 proxyAddress="" HttpClientTimeoutSeconds="100" matchingMethod="AccountName" accountLimit="1000" > The following property was added to the Credential element for use with the AccountName matching method: accountName - Only used if you chose the AccountName matching method. When an account name is matched, the account name that is returned has the matched part removed. The match text can include placeholders. The following keywords are supported: StartsWith(Value) - The value that the account name starts with. EndsWith(Value) - The value that the account name ends with. Contains(Value) - A value contained in the account name. EnclosedBy(Value1,value2) - The account name starts with value1 and ends with value2. Regex(Value) - A custom regex to match the account name with only one match group. Here are some examples of how you could set up a Credential element with these properties. In this example, an account name that ends with "@Company" is used: <Credential name="RegistrationOperator" systemName="{MachineName}" runas="John" APIGroup="RPA" accountName="EndsWith(@Company)" /> In this example, the applicationName property is used: <Credential name="WindowsUser" systemName="ROBOT1" workgroup="" accountNamePostfix="@{RobotIndex}" runas="user" APIGroup="apiGroup" applicationName = "WindowsUser"/> If the selection matching method is Application, you can match by using the accountNamePostfix and applicationName properties. If the selection matching method is AccountName, you can match by using only the accountName property.

Client Credential Provider

With this credential provider, you can mix the other credential providers. For example, you could define the registrationOperator using CyberArk and the WindowsUser using BeyondTrust. This credential provider is available in build 19.1.13 and later.

Element	Description
Providers/Provider name=”Client Credential Provider ”	Use this credential to get and set custom credentials using the IClientCredentialProvider interface. You can customize and set up multiple Provider names. Include values for the following attributes: providerType - Set to Client. assemblyName - The path to the assembly DLL file that contains the class. className - The name of the class that implements IClientCredentialProvider interface. The following is an example: <Provider name="MyProvider" providerType="Client" className="ClientProviderClassName" assemblyName="PathToAssembly"> All attribute name and value pairs of each Credential element are stored in the "customData" dictionary and passed to the IClientCredentialProvider methods. There are no restrictions on the number of attributes or the names of those attributes. All attributes that are listed with a credential are passed to the IClientCredentialProvider.
Credentials	Lists the individual credentials. With each credential request, all the dynamic values are sent. There are no required parameters values other than the name. The work group is only required to differentiate between credentials of the same type when they exist, for example, if you have two WindowsUser credentials. Any name/value pair for the credential that you select is sent to the Client Credential Provider, along with the following dynamic values. {RobotName} {RobotIndex} {MachineName} {CurrentUser} {Workgroup} {AdapterFriendlyName} Add name/value pairs as needed by your credential provider to identify the credential in your source system.
Credentials/Credential name="RegistrationOperator"	This credential retrieves the Registration Operator and is used by the RPA Service and Robot Runtime. The RegistrationOperator is a reserved name and can only appear once in this section.
Credentials/Credential name="WindowsUser"	This credential retrieves the Windows user. The WindowsUser is a reserved name and is used only by the RPA Service. To specify multiple WindowsUser accounts, use a WorkGroup value to differentiate between credentials.
Credentials/Credential name="RuntimeUser"	This credential retrieves the Windows user that is used to launch Robot Runtime. The RuntimeUser should only be specified when you want Robot Runtime to run under a credential that is not the same as the user who is logged in. This is a reserved name and is used only by the RPA Service. To specify multiple RuntimeUser accounts, use a WorkGroup value to differentiate between credentials.
Credentials/Credential name="{ASOManager Key}"	Retrieves a credential for an application key defined in the ASO Manager. This application key is only used by Robot Runtime.
Credentials/Credential name="{CredentialStore Key}"	Retrieves a credential for an application key defined in the Credential Store. This application key is only used by Robot Runtime.
Credentials/Credential name="Default"	The Default credential matches when there is a credential request but no match with a credential name for AsoMananger or CredentialStore. This credential is only used by Robot Runtime.

Custom

With the Custom provider option. you can source credentials from more than one credential provider. For example, you can use DPAPI for RegistrationOperator and WindowsUser while using BeyondTrust for AsoManager and CredentialStore. This option provides flexibility when configuring how the system retrieves credentials.

There are five types of credentials: RegistrationOperator, WindowsUser, RuntimeUser, AsoManager, and CredentialStore credentials. When you use the Custom provider, define which credential provider the system should use for each credential type.

Element

Description

Providers/Provider name=”Custom”

With build 19.1.44 and later you can specify a defaultProvider value. This value defines the credential provider for each credential type that is not explicitly mentioned. It is only required to provide CustomProvider elements to define credential types that are not serviced by the default provider.

Prior to 19.1.44, you must add a CustomProvider entry for each credential provider that you are activating. The CustomProvider element must define for each credential type whether that provider services the credential request. You must define at least two CustomProviders and assign to each credential type a provider.

CustomProvider name=”name”

Use a custom provider to define which credential type requests are serviced by a particular credential provider. A CustomProvider element requires a name attribute that must match a defined credential provider name. The system uses additional attributes to determine which credential types are serviced by the named credential provider. Set each attribute to True or False for the following:

registrationOperator
windowsUser
runtimeUser
asoManager
credentialStore

With build 19.1.44 and later, add a custom provider entry for each credential provider other than the default provider that you use. You can omit additional attributes that are set to False. The following is an example:

Prior to build 19.1.44, each custom provider should include all additional attributes and there must be a provider assigned to service each credential type. The following is the same example for installations prior to 19.1.44: