Integrate with CyberArk AAM (HTTP)

FlexDeploy provides out of box integration with CyberArk AAM to retrieve secrets. FlexDeploy will authenticate using client certificate or retrieve credentials using Agent. In this section we will talk about client certificate based authentication.

CyberArk Setup

  • Create necessary Application Id(s) in CyberArk AAM.
  • Configure safe and credentials.
  • Configure Application Id(s) for specific client certificate authentication.
  • If necessary, get PEM files for CyberArk server trust.

Generating the Client Certificate

Here are some steps for creating a client .pem file for authenticating against CyberArk from FlexDeploy. This uses openssl to create a certificate signing request and private key. Your organization may have their own guidelines, but this may help for understanding the general process needed.  

  1. Generate a certificate signing request and private key. Preferably run this on FlexDeploy server. We have to secure private key file, so that it is only accessible by FlexDeploy application process.
    openssl req -newkey -nodes -keyout clientKey.key -out clientCSR.csr
       
  2. Present the certificate signing request (.csr file) to your certificate authority (CA). The certificate authority will sign and return a certificate (.crt/.cer file).

  3. The certificate will likely be a .crt, .cer, or .pem file, which are all PEM format. If it's in another format, it will need to be converted to one of these formats. For example, a .p7b file is also a common format to receive certificates. Here's a command for converting from PKCS#7.
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
       
  4. Create a .pem file from the certificate and private key.
    cat clientCertificate.crt clientKey.key > clientPem.pem


This set of steps will create a PKCS#8 key file. See Converting Between Key Formats if you prefer another format.

FlexDeploy Setup

You must first create Credential Store in FlexDeploy by clicking Create Store button on Administration - Security - Credentials page. Credential store represents instance of specific type of credential store provider. If you have more than one CyberArk AAM installations, you will create equal number of Credential Stores in FlexDeploy. Use CyberArk AAM Provider when creating this store.

Here are the configurations necessary for this store.

Property NameNotesExample
CyberArk URL

HTTP URL for CyberArk AAM. FlexDeploy will invoke HTTP GET to retrieve credential. If you use https protocol, then you may have to setup Server Certificate Path.

URL can be https://services-xyz.skytap.com:1234 or https://services-xyz.skytap.com:1234/AIMWebservice/api/Accounts. If URL does not end with api/Accounts, then /AIMWebservice/api/Accounts will be added to end of URL automatically for invocation.

https://services-xyz.skytap.com:1234
Client Certificate Path

This is the full path to the .pem file containing the private key and certificate chain used to authenticate FlexDeploy against CyberArk AAM.

Only PEM certificates are supported at this time. You must store PEM certificate file with private key and certificate on FlexDeploy server in secure location. See the Supported Key Formats section below to verify your private key meets requirements.


Client Certificate PasswordClient certificate password. This is required for encrypted private keys.
Server Certificate Path

Optional, only needed if using https protocol. This is the full path to the .pem certificate file which is used to setup trust for CyberArk server.

Only PEM certificates are supported at this time. You must store PEM certificate file with certificate on FlexDeploy server in secure location.


Now you are ready to create individual credential to be retrieved from CyberArk.

You can create or edit credentials from Credentials page or from where specific credential is used.


CyberArk credential requires two inputs as described below.

Input NameNotes
Application IdApplication id and Query Text are used to retrieve secret from CyberArk AAM.
QueryQuery Text for credential. For example, Safe=Linux%20Accounts;Folder=root;Object=secret

Here is how edit credential looks like.

Create credential looks similar except you need to provide Scope as well. Scope can not changed once credential is saved.

You can change credential inputs (Application Id, Query Text) at any point. FlexDeploy will use these inputs with credential store properties like URL, Certificate Path etc. to retrieve individual credential for use during Workflow Execution.

Supported Key Formats

  • PKCS#8 - In a PEM file, the base64 ASCII encoded private key will be contained between -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines. 
  • PKCS#1 (RSA) @since 5.6.0.1- In a PEM file, the base64 ASCII encoded private key will be contained between -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines. This RSA key cannot be password protected. There will be lines before the key similar to Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2A37A86050838C0D if the key is encrypted, and therefore password protected. If you prefer to use a password to protect the private key, use a PKCS#12 key.
  • PKCS#12 (Encrypted) @since 5.6.0.1- In a PEM file, the private key will be contained between -----BEGIN ENCRYPTED PRIVATE KEY----- and -----END ENCRYPTED PRIVATE KEY----- lines. A client certificate password is required for this private key format. Supported ciphers are
    • des/des3 (default)
    • aes128/aes192/aes256
    • camellia128/camellia192/camellia256

Converting Between Key Formats

Often, a certificate and key will be provided in the form of .cer and .key files or some other format. OpenSSL or another tool will be needed to convert to the supported PEM format. See some examples below.

  • Create a .p12 combined certificate file from .key and .cer files, then export as a .pem file. You will be prompted for the password when running these commands.

openssl pkcs12 -export -in <.cer file> -inkey <.key file> -out <.p12 result file> -name <friendly name>

openssl pkcs12 -in <.p12 file> -out <.pem result file>

  • Convert a PKCS#8 .pem file to PKCS#1. Keep in mind adding options like -des to this command is not supported. To encrypt a key, convert it to PKCS#12 format with the openssl pkcs12 command.

openssl rsa -in <.pem file> -out <rsa .pem file>

  • Encrypt a PKCS#8 or PKCS#1 .pem file. You will be prompted for the password when running these commands.

openssl pkcs12 -export -in <.pem file> -out <.p12 file>

openssl pkcs12 -in <.p12 file> -out <new .pem file>