Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

Credential store represents instance of specific type of credential store provider. You can have many such credential stores in FlexDeploy of same or different type. There is one credential store created by default, which is named Local. If you are migrating from previous version of FlexDeploy, you will also notice migrated credentials under Local credential store.

Local credential store is based on Local credential store provider. There is only one Local credential store allowed, but you can create many other credential stores based on one or more credential store providers.

You can access credential stores by navigating to Configuration → Integrations and click the Credential Store tab.

You will see following screen which lists all active credential stores for each store. This screen allows you to

  1. View or Edit Credential Store - open popup to view or edit specific credential store by selecting its name.

  2. Create Store - open create new store popup where you will select desired provider and provide configuration properties for that specific credential store.

  3. Manage Providers - navigate to list of credential store providers screen, where you can view, edit or create credential store providers.

  4. Activate/Inactive Store - click on active checkmark to inactive, and click on inactive icon to activate (Can only inactivate Store if not in use by a Credential).

  5. Copy Store- copy specific credential store and configuration property values.

  6. Delete Store- delete specific credential store. If credential store is used, you will not be able to delete it.

In this section we will talk about how to view/edit and create credential store. Note that credential store provider associated with specific store indicates type of store, and once a credential store is created, it can not be updated to be of different provider type.

Create Credential Store

First click + Create button. You will see screen as shown below. Enter name of your store and select provider type in the dropdown. Once a Credential Store is saved, its provider type cannot be changed.

Once you have selected a Provider, a list of properties will show up. Some will be required to save while others are not.

Click the Save button to save the changes and exit the popup. 

View or Edit Credential Store

In order to view or edit specific credential store, select its name in the list of stores. At this point, you can change Name and Property Values, but Provider Name can not be changed. Make necessary changes and click the Save button to save the changes.

Integrate with HashiCorp Vault

FlexDeploy provides out of box integration with HashiCorp Vault to retrieve secrets. FlexDeploy will authenticate using AppRole authentication method against vault.

HashiCorp Vault Setup

  • You must first install and configure HashiCorp Vault if have not already done so.

  • Now you can create specific AppRole for FlexDeploy authentication. Use proper role name, for example flexdeploy-role.

  • AppRole must have policy that allows FlexDeploy to read specific secrets necessary. Note that FlexDeploy only needs read permission. Example policy file

    Examplay Policy File

    path "kv/*" 
    {
       capabilities = ["read"]
    }
    path "sys/mounts" 
    {
       capabilities = ["read"]
    } 
    path "secret/*"
    {
      capabilities = ["read"]
    }


  • You will need role id and secret id for this AppRole for configuration in FlexDeploy.

FlexDeploy Setup

You must first create Credential Store in FlexDeploy by clicking + Create button on Configuration - Integration - Credential Store page. Credential store represents instance of specific type of credential store provider. If you have more than one HashiCorp Vault installations, you will create equal number of Credential Stores in FlexDeploy.

Here are the configurations necessary for this store.

Property Name

Notes

Example

Vault URL

HTTP URL for REST service calls.

If you use https protocol then make sure to configure KeyStore (default java or application server keystore) with proper certificates.

http://myvault.mycompany.com:8200

App Role Path

App role path for authentication. This will default to approle and it should be sufficient.

approle

Role Id

You will create approle for FlexDeploy to authenticate against vault, provide role id here.

as per your Vault configurations

Secret Id

You will create approle for FlexDeploy to authenticate against vault, provide secret id here.

as per your Vault configurations

Engine Version

Engine version for secrets. This will default to 2, you can change if necessary.

1 or 2

Now you are ready to create individual credential to be retrieved from Vault.

You can 1:create or 2:edit credentials from Credentials page or from where specific credential is used.

HashiCorp Credential requires two inputs as described below. Keep in mind that AppRole created for FlexDeploy must have read access to paths defined by various credentials.

Input Name

Notes

Secrets Path

Path to secrets in HashiCorp Vault. For example, kv/DEV/Database/apps

Key Name

Key name for secret value.

Here is how the edit credential popup looks like.

Create credential looks similar except you need to provide Scope as well. Scope can not changed once credential is saved.

You can change credential inputs (Secrets Path, Key Name) at any point. FlexDeploy will use these inputs with credential store properties like URL, Role and Secret id to retrieve individual credential for use during Workflow Execution.

Integrate with CyberArk AAM (HTTP)

FlexDeploy provides out of box integration with CyberArk AAM to retrieve secrets. FlexDeploy will authenticate using client certificate or retrieve credentials using Agent. In this section we will talk about client certificate based authentication.

CyberArk Setup

  • Create necessary Application Id(s) in CyberArk AAM.

  • Configure safe and credentials.

  • Configure Application Id(s) for specific client certificate authentication.

  • If necessary, get PEM files for CyberArk server trust.

Generating the Client Certificate

Here are some steps for creating a client .pem file for authenticating against CyberArk from FlexDeploy. This uses openssl to create a certificate signing request and private key. Your organization may have their own guidelines, but this may help for understanding the general process needed.  

  1. Generate a certificate signing request and private key. Preferably run this on FlexDeploy server. We have to secure private key file, so that it is only accessible by FlexDeploy application process.
    openssl req -newkey -nodes -keyout clientKey.key -out clientCSR.csr
       

  2. Present the certificate signing request (.csr file) to your certificate authority (CA). The certificate authority will sign and return a certificate (.crt/.cer file).

  3. The certificate will likely be a .crt, .cer, or .pem file, which are all PEM format. If it's in another format, it will need to be converted to one of these formats. For example, a .p7b file is also a common format to receive certificates. Here's a command for converting from PKCS#7.
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
       

  4. Create a .pem file from the certificate and private key.
    cat clientCertificate.crt clientKey.key > clientPem.pem


This set of steps will create a PKCS#8 key file. See Integrate with CyberArk AAM (HTTP)#Converting Between Key Formats if you prefer another format.

FlexDeploy Setup

You must first create Credential Store in FlexDeploy by clicking + Create button on Configuration - Integration - Credential Store page. Credential store represents instance of specific type of credential store provider. If you have more than one CyberArk AAM installations, you will create equal number of Credential Stores in FlexDeploy. Use CyberArk AAM Provider when creating this store.

Here are the configurations necessary for this store.

Property Name

Notes

Example

CyberArk URL

HTTP URL for CyberArk AAM. FlexDeploy will invoke HTTP GET to retrieve credential. If you use https protocol, then you may have to setup Server Certificate Path.

URL can be https://services-xyz.skytap.com:1234 or https://services-xyz.skytap.com:1234/AIMWebservice/api/Accounts. If URL does not end with api/Accounts, then /AIMWebservice/api/Accounts will be added to end of URL automatically for invocation.

https://services-xyz.skytap.com:1234

Client Certificate Path

This is the full path to the .pem file containing the private key and certificate chain used to authenticate FlexDeploy against CyberArk AAM.

Only PEM certificates are supported at this time. You must store PEM certificate file with private key and certificate on FlexDeploy server in secure location. See the Integrate with CyberArk AAM (HTTP)#Supported Key Formats section below to verify your private key meets requirements.


Client Certificate Password

Client certificate password. This is required for encrypted private keys.


Server Certificate Path

Optional, only needed if using https protocol. This is the full path to the .pem certificate file which is used to setup trust for CyberArk server.

Only PEM certificates are supported at this time. You must store PEM certificate file with certificate on FlexDeploy server in secure location.


Now you are ready to create individual credential to be retrieved from CyberArk.

You can 1:create or 2:edit credentials from Credentials page or from where specific credential is used.

CyberArk credential requires two inputs as described below.

Input Name

Notes

Application Id

Application id and Query Text are used to retrieve secret from CyberArk AAM.

Query

Query Text for credential. For example, Safe=Linux%20Accounts;Folder=root;Object=secret

Here is how the edit credential popup looks like.

Create credential looks similar except you need to provide Scope as well. Scope can not changed once credential is saved.

You can change credential inputs (Application Id, Query Text) at any point. FlexDeploy will use these inputs with credential store properties like URL, Certificate Path etc. to retrieve individual credential for use during Workflow Execution.

Supported Key Formats

  • PKCS#8 - In a PEM file, the base64 ASCII encoded private key will be contained between -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines. 

  • PKCS#1 (RSA) - In a PEM file, the base64 ASCII encoded private key will be contained between -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines. This RSA key cannot be password protected. There will be lines before the key similar to Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2A37A86050838C0D if the key is encrypted, and therefore password protected. If you prefer to use a password to protect the private key, use a PKCS#12 key.

  • PKCS#12 (Encrypted) - In a PEM file, the private key will be contained between -----BEGIN ENCRYPTED PRIVATE KEY----- and -----END ENCRYPTED PRIVATE KEY----- lines. A client certificate password is required for this private key format. Supported ciphers are

    • des/des3 (default)

    • aes128/aes192/aes256

    • camellia128/camellia192/camellia256

Converting Between Key Formats

Often, a certificate and key will be provided in the form of .cer and .key files or some other format. OpenSSL or another tool will be needed to convert to the supported PEM format. See some examples below.

  • Create a .p12 combined certificate file from .key and .cer files, then export as a .pem file. You will be prompted for the password when running these commands.

openssl pkcs12 -export -in <.cer file> -inkey <.key file> -out <.p12 result file> -name <friendly name>

openssl pkcs12 -in <.p12 file> -out <.pem result file>

  • Convert a PKCS#8 .pem file to PKCS#1. Keep in mind adding options like -des to this command is not supported. To encrypt a key, convert it to PKCS#12 format with the openssl pkcs12 command.

openssl rsa -in <.pem file> -out <rsa .pem file>

  • Encrypt a PKCS#8 or PKCS#1 .pem file. You will be prompted for the password when running these commands.

openssl pkcs12 -export -in <.pem file> -out <.p12 file>

openssl pkcs12 -in <.p12 file> -out <new .pem file>

Integrate with CyberArk AAM (Agent)

FlexDeploy provides out of box integration with CyberArk AAM to retrieve secrets. FlexDeploy will authenticate using client certificate or retrieve credentials using Agent. In this section we will talk about retrieval of credentials using Agent.

CyberArk Setup

  • Create necessary Application Id(s) in CyberArk AAM.

  • Configure safe and credentials.

  • Configure Application Id(s) for specific client certificate authentication.

  • Install and configure CyberArk Agent on FlexDeploy server. You will need location of clipasswordsdk executable for configuration as well.

FlexDeploy Setup

You must first create Credential Store in FlexDeploy by clicking + Create button on Configuration - Integration - Credential Store page. Credential store represents instance of specific type of credential store provider. If you have more than one CyberArk AAM installations, you will create equal number of Credential Stores in FlexDeploy. Use CyberArk AAM Agent Provider when creating this store.

Here are the configurations necessary for this store.

Property Name

Notes

Example

CLIPasswordSDK Executable Path

Fully qualified path for clipasswordsdk on Unix or CLIPasswordSDK.exe on Windows.

FlexDeploy will invoke this agent script like this.

clipasswordsdk GetPassword -p AppDescs.AppID=$APP_ID -p Query="QUERY" -o $OUTPUT

where APP_ID, QUERY and OUTPUT are inputs configured for each credential.

/u01/cyberark/clipasswordsdk

Now you are ready to create individual credential to be retrieved from CyberArk.

You can 1:create or 2:edit credentials from Credentials page or from where specific credential is used.

CyberArk credential requires two inputs as described below.

Input Name

Notes

Application Id

Application id and Query Text are used to retrieve secret from CyberArk AAM.

Query

Query Text for credential. For example, Safe=Linux%20Accounts;Folder=root;Object=secret

Output

This will default to Password.

Here is how the edit credential popup looks like.

Create credential looks similar except you need to provide Scope as well. Scope can not changed once credential is saved.

You can change credential inputs (Application Id, Query Text) at any point. FlexDeploy will use these inputs with clipasswordsdk to retrieve individual credential for use during Workflow Execution.

Integrate with Azure Key Vault

FlexDeploy provides out of box integration with Azure Key Vault to retrieve secrets. FlexDeploy will authenticate using the OAuth 2.0 authentication method.

Azure Key Vault Setup

  • Create new App registration in the Azure Portal. You can leave the Redirect URL blank.

  • Create a new Client Secret in the Certificates & secrets section in the created app registration.

  • Copy the secret as this is the last chance you have to do so.

  • Provide the Key Vault Secrets User role to the created app registration in the desired Key Vault's Access policies section (for Vault access policy) or Access control (IAM) section (for Azure role-based access control). 

  • Here are screenshots for IAM setup.

FlexDeploy Setup

You must first create a Credential Store in FlexDeploy by clicking the + Create button on Configuration - Integration - Credential Store page. The credential store represents an instance of a specific type of credential store provider. If you have more than one Azure Key Vault, you will create an equal number of Credential Stores in FlexDeploy.

Here are the configurations necessary for this store.

Property Name

Notes

Example

Vault URL

HTTP URL for Azure Key Vault.

https://mycompany.vault.azure.net

Tenant ID

Azure Tenant ID or Directory ID.

as per your Vault configurations

Client ID

The Application ID of the application registered in the Azure Portal.

as per your Vault configurations

Client Secret

Client Secret generated in Azure Portal.

as per your Vault configurations

Azure Resource

The App ID URI of the target web API.

https://vault.azure.net/

Grant Type

Authentication Credential Grant Type.

client_credentials

API Version

Version of the Azure REST API.

2016-10-01

Now you are ready to create an individual credential to be retrieved from the Key Vault.

You can 1:create or 2:edit credentials from the Credentials page or from where the specific credential is used.

Azure Key Vault Credential requires input as described below.

Input Name

Notes

Secret Name

Secret name for secret value.

Secret names can also be entered in the format SecretName/Version to retrieve a specific version of the secret.

Here is what the edit credential popup looks like.

Create credential looks similar except you need to provide Scope as well. The scope can not be changed once the credential is saved.

You can change credential inputs (Secret Name) at any point. FlexDeploy will use these inputs with credential store properties like Vault URL, Client ID, and Client Secret to retrieve individual credentials for use during Workflow Execution.

Integrate with Thycotic Secret Server

FlexDeploy provides out of box integration with Thycotic Secret Server to retrieve secrets. 

Thycotic Secret Server Setup

  • Make sure Thycotic has web services enabled

FlexDeploy Setup

You must first create a Credential Store in FlexDeploy by clicking the + Create button on Configuration - Integration - Credential Store page. The credential store represents an instance of a specific type of credential store provider. If you have more than one Thycotic Secret Server, you will create an equal number of Credential Stores in FlexDeploy.

Here are the configurations necessary for this store.

Property Name

Notes

Example

Thycotic Server Hostname

Thycotic will be accessed using URL https://<Thycotic Server Hostname>/SecretServer

thycotic.mycompany.com

Thycotic Username

Username of the service account to access Thycotic Secret Server

as per your server configurations

Thycotic Password

Password of the service account to access Thycotic Secret Server

as per your server configurations

Thycotic Domain

Domain of the service account to access Thycotic Secret Server

as per your server configurations

Ignore SSL Errors

Use default SSL configuration and ignore any SSL errors

true or false. Defaults to true


You may have to add certificate to Java keystore, see Adding certificate to Java Keystore

Now you are ready to create an individual credential to be retrieved from the Secret Server

You can 1:create or 2:edit credentials from the Credentials page or from where the specific credential is used.

Thycotic Secret Server requires input as described below.

Input Name

Notes

Secret ID

The ID of the secret.  On Thycotic Secret server, this is the unique value for a secret.

It is in the URL when you browse to that secret on the Thycotic web application

Here is what the create and edit credential popup looks like. Credential Scope cannot be changed after creation.

You can change credential inputs (Secret ID) at any point. FlexDeploy will use these inputs with credential store properties to retrieve individual credentials for use during Workflow Execution.

  • No labels