Quick Info
Description
CyberArk Application Identity Manager, part of the CyberArk Privileged Account Security Solution, enables organizations to protect critical business systems by eliminating hard-coded credentials from application scripts, configuration files, and software code and removing SSH keys from servers where they are used by applications and scripts. Application Identity Manager offers agent and agentless deployment options to best meet the security and availability requirements of various business applications. The product is built on the CyberArk Shared Technology Platform, delivering scalability, high availability, and centralized management and reporting.Quick Info
Overview
CyberArk Application Identity Manager, an integrated part of the CyberArk Privileged Account Security Solution, enables organizations to protect critical business systems by eliminating hard-coded credentials from applications, automation scripts, configuration files and software code, and by removing SSH keys from servers where they are used by applications and scripts. CyberArk Application Identity Manager offers agent and agentless deployment options to best meet the security and availability requirements of various business applications. The product is designed to help customers achieve enterprise level scalability, high availability and offer centralized management and reporting.
Steps
The following process steps are available:
- Authenticate Conjur
- Get Password from CCP (Web Service)
- Get Password from CP (CLI Utility)
- Get Variable from Conjur
Authenticate Conjur
Authenticate Conjur using API Key to get a short-lived access token.
Name | Type | Description | Required |
---|---|---|---|
API Key | String | API Key | Yes |
Account | String | Organization account name | Yes |
Api Version | Enumeration | The version of the API. Valid values are v4 and v5 | Yes |
Conjur URL | String | Url of Conjur, example, https://eval.conjur.org | Yes |
Login | String | The login name of the client. For users, its the user id. For hosts, the login name is host/host-id | Yes |
Ouput PropertyAccess Token | String | Process Request Property for storing the retrieved access token | Yes |
Proxy | String | Proxy, leave it blank if no proxy is needed | No |
Get Password from CCP (Web Service)
Retrieve a password from CyberArk AIM Central Credential Provider via an HTTP request.
The Central Credential Provider is installed remote to the agent on a central IIS server. This step will set the prefix/username, /address, and /password properties at either the component process request level or the generic process request level.
Name | Type | Description | Required |
---|---|---|---|
Application ID | String | The unique ID of the application issuing the password request. | Yes |
Folder | String | The name of the folder where the password is stored. | No |
Keystore File | String | The path to the agent machines keystore file. This is required when the CyberArk server authenticates applications using client certificates. | No |
Keystore Password | Password | The password of the agent machines keystore. | No |
Keystore Type | String | The type of keystore on the agent machine. | No |
Object Name | String | The name of the password object to retrieve. | No |
Process Property Prefix | String | The value to be prepended to each process request property that is created by this step. You may address these properties in subsequent steps with the syntax: ${p:/password} for instance. |
Yes |
SSL/TLS Debug Level | String | Specify a debug level to set the javax.net.debug system property. A level of all will log everything. You can specify more specific logging levels with values. For instance ssl:handshake will only log information regarding handshakes between the client and server. |
No |
Safe | String | The name of the safe where the password is stored. | No |
Server URL | String | The URL of your CyberArk server. This property should be specified in the format <https://host:port/AIMWebService/api/accounts>. | Yes |
Trust Invalid Certificates | Boolean | Check this box to trust all SSL certificates on the agent machine. This will trust any certificate returned from the CyberArk server during connection. | No |
Get Password from CP (CLI Utility)
Retrieve a password from CyberArk AIM Credential Provider via the clipasswordsdk
command line utility on the agent machine. This step will set the CyberArk/username,
CyberArk/address, and CyberArk/password properties at either the component process request level or the generic process request level.
Name | Type | Description | Required |
---|---|---|---|
App ID | String | AppID configured in CyberArk PVWA | Yes |
Folder | String | The name of the folder | Yes |
Object | String | Object name of the credential | Yes |
Ouput PropertyAddress | String | Process Request Property for storing the retrieved address | No |
Ouput PropertyPassword | String | Process Request Property for storing the retrieved password | Yes |
Ouput PropertyUser Name | String | Process Request Property for storing the retrieved user name | No |
Path | String | Full path to clipasswordsdk.E.g. /opt/CARKaim/sdk/clipasswordsdk | Yes |
Safe | String | Safe name | Yes |
Get Variable from Conjur
Get Variable from Conjur.
Name | Type | Description | Required |
---|---|---|---|
Access Token | String | Access Token | Yes |
Account | String | Organization account name | No |
Api Version | Enumeration: *v4 and *v5 | API version | Yes |
Conjur URL | String | Url of Conjur, example, https://eval.conjur.org | Yes |
Ouput PropertyVariable | String | Process Request Property for storing the retrieved variable | Yes |
Proxy | String | Proxy, leave it blank if no proxy is needed | No |
Variable ID | String | Variable ID | Yes |
Usage
Process Request Properties
The CyberArk plugin password retrieval steps generate secure process request properties accessible only by the currently running process. In subsequent steps you may access these properties using the syntax ${p:CyberArk/password}
, ${p:CyberArk/username}
, and ${p:CyberArk/address}
.
CyberArk Authentication
The CyberArk server determines how applications will be authenticated to access objects. Applications may be authenticated via Windows username, allowed hostnames, and client certificates. The Get Password from CCP (Web Service) step allows for authentication via client certificate.
The Keystore File, Keystore Password, and Keystore Type step fields allow you to set an SSL context to request password objects from CyberArk. The certificates in the referenced keystore will be passed with the request. The CyberArk server must trust the client certificate in its truststore and reference the serial number of the certificate to authenticate with.