Versions Compared

Old Version 1

changes.mady.by.user Karl Henselin

Saved on

compared with

New Version Current

changes.mady.by.user Victor Krieg

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Here are some steps for creating a client .pem file for authenticating against CyberArk from FlexDeploy. This uses openssl to create a certificate signing request and private key. Your organization may have their own guidelines, but this may help for understanding the general process needed.  

  1. Generate a certificate signing request and private key. Preferably run this on FlexDeploy server. We have to secure private key file, so that it is only accessible by FlexDeploy application process.
    openssl req -newkey -nodes -keyout clientKey.key -out clientCSR.csr
       

  2. Present the certificate signing request (.csr file) to your certificate authority (CA). The certificate authority will sign and return a certificate (.crt/.cer file).

  3. The certificate will likely be a .crt, .cer, or .pem file, which are all PEM format. If it's in another format, it will need to be converted to one of these formats. For example, a .p7b file is also a common format to receive certificates. Here's a command for converting from PKCS#7.
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
       

  4. Create a .pem file from the certificate and private key.
    cat clientCertificate.crt clientKey.key > clientPem.pem


This set of steps will create a PKCS#8 key file. See Integrate with CyberArk AAM (HTTP)#Converting Between Key Formats if you prefer another format.

...

You must first create Credential Store in FlexDeploy by clicking + Create Store button on Administration Configuration - Security Integration - Credentials Credential Store page. Credential store represents instance of specific type of credential store provider. If you have more than one CyberArk AAM installations, you will create equal number of Credential Stores in FlexDeploy. Use CyberArk AAM Provider when creating this store.

...

Now you are ready to create individual credential to be retrieved from CyberArk.

You can 1:create or 2:edit credentials from Credentials page or from where specific credential is used.

...

Input Name

Notes

Application Id

Application id and Query Text are used to retrieve secret from CyberArk AAM.

Query

Query Text for credential. For example, Safe=Linux%20Accounts;Folder=root;Object=secret

Here is how the edit credential popup looks like.

...

Create credential looks similar except you need to provide Scope as well. Scope can not changed once credential is saved.

...