Integrate with CyberArk AAM (Agent)

FlexDeploy provides out of box integration with CyberArk AAM to retrieve secrets. FlexDeploy will authenticate using client certificate or retrieve credentials using Agent. In this section we will talk about retrieval of credentials using Agent.

CyberArk Setup

  • Create necessary Application Id(s) in CyberArk AAM.

  • Configure safe and credentials.

  • Configure Application Id(s) for specific client certificate authentication.

  • Install and configure CyberArk Agent on FlexDeploy server. You will need location of clipasswordsdk executable for configuration as well.

FlexDeploy Setup

You must first create Credential Store in FlexDeploy by clicking + Create button on Configuration - Integration - Credential Store page. Credential store represents instance of specific type of credential store provider. If you have more than one CyberArk AAM installations, you will create equal number of Credential Stores in FlexDeploy. Use CyberArk AAM Agent Provider when creating this store.

Here are the configurations necessary for this store.

Property Name

Notes

Example

Property Name

Notes

Example

CLIPasswordSDK Executable Path

Fully qualified path for clipasswordsdk on Unix or CLIPasswordSDK.exe on Windows.

FlexDeploy will invoke this agent script like this.

clipasswordsdk GetPassword -p AppDescs.AppID=$APP_ID -p Query="QUERY" -o $OUTPUT

where APP_ID, QUERY and OUTPUT are inputs configured for each credential.

/u01/cyberark/clipasswordsdk

Now you are ready to create individual credential to be retrieved from CyberArk.

You can 1:create or 2:edit credentials from Credentials page or from where specific credential is used.

CyberArk credential requires two inputs as described below.

Input Name

Notes

Input Name

Notes

Application Id

Application id and Query Text are used to retrieve secret from CyberArk AAM.

Query

Query Text for credential. For example, Safe=Linux%20Accounts;Folder=root;Object=secret

Output

This will default to Password.

Here is how the edit credential popup looks like.

Create credential looks similar except you need to provide Scope as well. Scope can not changed once credential is saved.

You can change credential inputs (Application Id, Query Text) at any point. FlexDeploy will use these inputs with clipasswordsdk to retrieve individual credential for use during Workflow Execution.

The following macros are not currently supported in the footer:
  • style