Import Accounts from CyberArk Safes using Microsoft PowerShell and the CyberArk PACLI utility.
CyberArk includes a Command-Line Interface, PACLI, that communicates directly with the CyberArk Vault. It operates on "files" stored in "safes" in the vault. It can export CyberArk account data, which CyberArk clients like PrivateArk and Password Vault Web Access (PVWA) store as files in safes.
The instructions below use a PowerShell script that uses PACLI to export all the files matching a pattern. Using the default pattern "*," it exports all files from the Safe. It extracts the Username, Address, and password for each one; however, it can be configured to extract other fields if required. The script provides the exported files as objects, so ConvertTo-CSV is then used to transform them into a Comma-separated Value (CSV) format to import them into Keeper.
Three external components are required to use the script below:
CyberArk PACLI
A Vault.ini configuration file
A User.ini credential file
The PACLI is available for download from the CyberArk Marketplace website. It is a zip file containing the PACLI.exe binary and some supporting files. The script will expect the path of the directory containing the binary.
The vault.ini file contains parameters PACLI needs to locate and log on to the vault. For example:
The VAULT can typically be left as "CAMainVault."
The ADDRESS is the hostname or IP address of the CyberArk Vault server.
The PREAUTHSECUREDSESSION and TRUSTSSC settings are required when the log-on user is authenticated via LDAP (Active Directory) or RADIUS. Otherwise, they may be omitted.
The User.ini file is in INI format. However, it is generated using theCreateCredFile.exe tool that CyberArk includes, along with some of its components. For example, generating a user.ini for Myuser in the CORP Active Directory domain:
The latest version of the PACLI zip contains the tool. Running it with the /? parameter will explain the other options that are useful in other authentication scenarios.
Paste the following into a file ending with .ps1, e.g., Export-CyberArkSafeFiles.ps1
Extract the PACLI.zip into the same directory or a sub-directory of the directory containing the script.
Open PowerShell and change to the directory containing the script.
Note the use of use of tab characters instead of commas, the use of UTF-8 encoding, excluding a header and not quoting the data all help Keeper import the data properly.
PowerShell can help transform the data beyond just formatting it as CSV. This more advanced example creates the "login" field by combining the Username and Address fields and uses it as the "title" field as well.