Versions Compared

Old Version 4

changes.mady.by.user Victor Krieg

Saved on

compared with

New Version 5

changes.mady.by.user Chandresh Patel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Generate a certificate signing request and private key. Preferably run this on FlexDeploy server. We have to secure private key file, so that it is only accessible by FlexDeploy application process.

    Code Block
    openssl req -newkey -nodes -keyout clientKey.key -out clientCSR.
    csr
    csr   
     
  2. Present the certificate signing request (.csr file) to your certificate authority (CA). The certificate authority will sign and return a certificate (.crt/.cer file).
  3. The certificate will likely be a .crt, .cer, or .pem file, which are all PEM format. If it's in another format, it will need to be converted to one of these formats. For example, a .p7b file is also a common format to receive certificates. Here's a command for converting from PKCS#7.
     Code Block
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

       
  4. Create a .pem file from the certificate and private key. 
     Code Block
    cat clientCertificate.crt clientKey.key > clientPem.pem
This set of steps will create a PKCS#8 key file. See Integrate with CyberArk AAM (HTTP)#Converting Between Key Formats if you prefer another format.
...
Here are the configurations necessary for this store.
...
Property Name
Notes
Example
CyberArk URL
HTTP URL for CyberArk AAM. FlexDeploy will invoke HTTP GET to retrieve credential. If you use https protocol, then you may have to setup Server Certificate Path.
URL can be https://services-xyz.skytap.com:1234 or https://services-xyz.skytap.com:1234/AIMWebservice/api/Accounts. If URL does not end with api/Accounts, then /AIMWebservice/api/Accounts will be added to end of URL automatically for invocation. 
https://services-xyz.skytap.com:1234
Client Certificate Path
This is the full path to the .pem file containing the private key and certificate chain used to authenticate FlexDeploy against CyberArk AAM.
Only PEM certificates are supported at this time. You must store PEM certificate file with private key and certificate on FlexDeploy server in secure location. See the Integrate with CyberArk AAM (HTTP)#Supported Key Formats section below to verify your private key meets requirements.

Client Certificate Password
Client certificate password. This is required for encrypted private keys.

Server Certificate Path
Optional, only needed if using https protocol. This is the full path to the .pem certificate file which is used to setup trust for CyberArk server.
Only PEM certificates are supported at this time. You must store PEM certificate file with certificate on FlexDeploy server in secure location.

Now you are ready to create individual credential to be retrieved from CyberArk.
...
CyberArk credential requires two inputs as described below.
Input Name
Notes
Application Id
Application id and Query Text are used to retrieve secret from CyberArk AAM.
Query
Query Text for credential. For example, Safe=Linux%20Accounts;Folder=root;Object=secret
Here is how the edit credential popup looks like.
...
  • Create a .p12 combined certificate file from .key and .cer files, then export as a .pem file. You will be prompted for the password when running these commands.
 Code Block
openssl pkcs12 -export -in <.cer file> -inkey <.key file> -out <.p12 result file> -name <friendly name>
...


openssl pkcs12 -in <.p12 file> -out <.pem result file>
  • Convert a PKCS#8 .pem file to PKCS#1. Keep in mind adding options like -des to this command is not supported. To encrypt a key, convert it to PKCS#12 format with the openssl pkcs12 command.
 Code Block
openssl rsa -in <.pem file> -out <rsa .pem file>
  • Encrypt a PKCS#8 or PKCS#1 .pem file. You will be prompted for the password when running these commands.
 Code Block
openssl pkcs12 -export -in <.pem file> -out <.p12 file>
...


openssl pkcs12 -in <.p12 file> -out <new .pem file>