Plug-in Documentation

CyberArk

Overview

CyberArk Application Identity Manager, an integrated part of the CyberArk Privileged Account Security Solution, enables organizations to protect critical business systems by eliminating hard-coded credentials from applications, automation scripts, configuration files and software code, and by removing SSH keys from servers where they are used by applications and scripts. CyberArk Application Identity Manager offers agent and agentless deployment options to best meet the security and availability requirements of various business applications. The product is designed to help customers achieve enterprise level scalability, high availability and offer centralized management and reporting.

History

Version 7

Added configurable JSSE debugging field.

Version 6

Added Property Prefix field to Get Password from CCP step.

Version 5

Added support for Conjur v4.

Version 4

Added step to retrieve password from Central Credential Provider Web API.

Version 3

Created an SSL Context for sending client certificates to the CyberArk server.

Version 2

Added hidden SSL configuration properties.

Version 1

Initial release of the CyberArk plugin.

Steps

Process steps in the CyberArk plug-in

Authenticate Conjur

Authenticate Conjur using API Key to get a short-lived access token

Input properties for the Authenticate Conjur step
Name Type Description Required
API Key String API key Yes
Account String Organization account name Yes
Api Version Enumeration:

  • v4
  • v5
Api Version Yes
Conjur URL String Url of Conjur, eg https://eval.conjur.org Yes
Login String Login name of the client. For users, its the user id. For hosts, the login name is
host/host-id
Yes
Ouput Property Access Token String Process Request Property for storing the retrieved access token Yes
Proxy String Proxy, leave it blank if no proxy is needed No

Get Password from CCP (Web Service)

Retrieve a password from CyberArk AIM Central Credential Provider via an HTTP request.

The Central Credential Provider is installed remote to the agent on a central IIS
server. This step will
set the prefix/username, <prefix>/address, and <prefix>/password properties at either
the
component process request level or the generic process request level.

Input properties for the Get Password from CCP (Web Service) step
Name Type Description Required
Application ID String The unique ID of the application issuing the password request. Yes
Folder String The name of the folder where the password is stored. No
Keystore File String The path to the agent machines keystore file. This is required
when the CyberArk server authenticates applications using client certificates.
No
Keystore Password Password The password of the agent machines keystore. No
Keystore Type String The type of keystore on the agent machine. No
Object Name String The name of the password object to retrieve. No
Process Property Prefix String The value to be prepended to each process request property
that is created by this step. You may address these properties
in subsequent steps with the syntax: ${p:<prefix>/password}
for instance.
Yes
SSL/TLS Debug Level String Specify a debug level to set the javax.net.debug system property.
A level of all will log everything. You can specify more specific logging levels
with values. For instance ssl:handshake will only log information regarding
handshakes between the client and server.
No
Safe String The name of the safe where the password is stored. No
Server URL String The URL of your CyberArk server. This property should be specified
in the format https://<host:port>/AIMWebService/api/accounts.
Yes
Trust Invalid Certificates Boolean Check this box to trust all SSL certificates on the agent machine.
This will trust any certificate returned from the CyberArk server during connection.
No

Get Password from CP (CLI Utility)

Retrieve a password from CyberArk AIM Credential Provider via the clipasswordsdk
command line utillity on the agent machine. This step will set the CyberArk/username,

CyberArk/address, and CyberArk/password properties at either the component process
request
level or the generic process request level.

Input properties for the Get Password from CP (CLI Utility) step
Name Type Description Required
AppID String AppID configured in CyberArk PVWA Yes
Folder String Folder name Yes
Object String Object name of the credential Yes
Ouput Property Address String Process Request Property for storing the retrieved address No
Ouput Property Password String Process Request Property for storing the retrieved password Yes
Ouput Property User Name String Process Request Property for storing the retrieved user name No
Path String Full path to clipasswordsdk. E.g. /opt/CARKaim/sdk/clipasswordsdk Yes
Safe String Safe name Yes

Get Variable from Conjur

Get Variable from Conjur

Input properties for the Get Variable from Conjur step
Name Type Description Required
Access Token String Access Token Yes
Account String Organization account name No
Api Version Enumeration:

  • v4
  • v5
Api Version Yes
Conjur URL String Url of Conjur, eg https://eval.conjur.org Yes
Ouput Property Variable String Process Request Property for storing the retrieved variable Yes
Proxy String Proxy, leave it blank if no proxy is needed No
Variable ID String Variable ID Yes

Usage

Process Request Properties

The CyberArk plugin password retrieval steps generate secure process request properties accessible only by the currently running process. In subsequent steps you may access these properties using the syntax ${p:CyberArk/password}, ${p:CyberArk/username}, and ${p:CyberArk/address}.

CyberArk Authentication

The CyberArk server determines how applications will be authenticated to access objects. Applications may be authenticated via Windows username, allowed hostnames, and client certificates. The Get Password from CCP (Web Service) step allows for authentication via client certificate.

The Keystore File, Keystore Password, and Keystore Type step fields allow you to set an SSL context to request password objects from CyberArk. The certificates in the referenced keystore will be passed with the request. The CyberArk server must trust the client certificate in its truststore and reference the serial number of the certificate to authenticate with.