Versions Compared

Version Old Version 11 New Version 12
Changes made by

Emily Simon

Emily Simon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

FlexDeploy provides out of box integration with CyberArk AAM to retrieve secrets. FlexDeploy will authenticate using client certificate or retrieve credentials using Agent. In this section we will talk about client certificate based authentication.

CyberArk Setup

  • Create necessary Application Id(s) in CyberArk AAM.
  • Configure safe and credentials.
  • Configure Application Id(s) for specific client certificate authentication.
  • If necessary, get PEM files for CyberArk server trust.

Generating the Client Certificate

Here are some steps for creating a client .pem file for authenticating against CyberArk from FlexDeploy. This uses openssl to create a certificate signing request and private key. Your organization may have their own guidelines, but this may help for understanding the general process needed.  

  1. Generate a certificate signing request and private key.
    openssl req -newkey -nodes -keyout clientKey.key -out clientCSR.csr
  2. Present the certificate signing request (.csr file) to your certificate authority (CA). The certificate authority will sign and return a certificate (.crt/.cer file).
  3. Create a .pem file from the certificate and private key. 
    cat clientCertificate.crt clientKey.key > clientPem.pem

    This set of steps will create a PKCS#8 key file. See Converting Between Key Formats if you prefer another format.

FlexDeploy Setup

You must first create Credential Store in FlexDeploy by clicking Create Store button on Administration - Security - Credentials page. Credential store represents instance of specific type of credential store provider. If you have more than one CyberArk AAM installations, you will create equal number of Credential Stores in FlexDeploy. Use CyberArk AAM Provider when creating this store.

...

  • PKCS#8 - In a PEM file, the base64 ASCII encoded private key will be contained between -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines. 
  • PKCS#1 (RSA) @since 5.6.0.1- In a PEM file, the base64 ASCII encoded private key will be contained between -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines. This RSA key cannot be password protected. There will be lines before the key similar to Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2A37A86050838C0D if the key is encrypted, and therefore password protected. If you prefer to use a password to protect the private key, use a PKCS#12 key.
  • PKCS#12 (Encrypted) @since 5.6.0.1- In a PEM file, the private key will be contained between -----BEGIN ENCRYPTED PRIVATE KEY----- and -----END ENCRYPTED PRIVATE KEY----- lines. A client certificate password is required for this private key format. Supported ciphers are
    • des/des3 (default)
    • aes128/aes192/aes256
    • camellia128/camellia192/camellia256

Converting Between Key Formats
Anchor
Converting Between Key Formats
Converting Between Key Formats

Often, a certificate and key will be provided in the form of .cer and .key files or some other format. OpenSSL or another tool will be needed to convert to the supported PEM format. See some examples below.

...