Skip to main content

CyberArk Key Storage Plugin (Commercial)

CyberArk Key Storage Plugin (Commercial)

CyberArk is a leader in Privileged Access Management solutions providing cloud ready, easy to use security solutions across the complete privileged access surface. A centralized password management system provides visibility and control to protect privileges from attack. CyberArk's solution is built for the Enterprise to enforce strong password business policies and prevent data breaches.

Prerequisites

In order to securely communicate with CyberArk, Runbook Automation requires keystores for SSL and Client authentication. Instructions store the RootCA certificate, the client certificate and the client private key in key stores and specify them in rundeck-config.properties. For more information on creating/using a keystore, see Java Keystore.

Below is an example of how to import a certificate using the command-line:

keytool -import -file "C:\Path\to\certificateFile.crt" -keystore "C:\Path\to\Keystore\Keystorename" -storepass "password"

Below is an example of how to import another key store, likely containing the private key:

keytool -importkeystore -deststorepass [password] -destkeystore [new-keystore.jks] -srckeystore [keystore-filename.p12] -srcstoretype PKCS12```

Keystore Paths

If a full path is not specified for the new keystore, it will create the keystore in the directory the command was run from. Take note of all the keystore names and passwords as they are created, they will be needed to configure Runbook Automation. Once the certificates and private key are in keystore(s), add them to Runbook Automation using rundeck-config.properties or in Key Storage Config, as shown below.

Note for Cloud Users

In order to integrate Runbook Automation (Cloud) with CyberArk, the Enterprise Runner must be used. This is because we do not allow customers to upload their CA Certs and Keystores to our Cloud infrastructure.
Please follow the instructions in the Integration Through Enterprise Runner section.

Configuration

Key Storage Config (GUI)

Use the following steps to configure the CyberArk plugin for key storage:

  1. Navigate to the System Menu (gear icon in the upper right).
  2. Click on Key Storage:
    Key Storage Menu
  3. Navigate to the Configure tab.
  4. Click on Add Storage Plugin +.
  5. Click on CyberArk Storage

Integration Fields:

  • Key Storage Path: The path in the Runbook Automation storage tree to apply the plugin. If keys is specified, then all keys and directories added to Key Storage will also be added to CyberArk.

  • Remove Path Prefix: By default, the storage plugin will be invoked using the full path that is requested. If set to true, the path used when invoking the storage plugin would not include the prefix. It is recommended to set this to true. If set to false, keys will not be displayed unless an existing directory is specified in Runbook Automation.

  • Mode: The mode for interacting with CyberArk. See above for descriptions of the various modes.

    • The REST mode authenticates with the REST API through the AIM Web Service to list the safes and list the names of the secrets within the safes. The retrieval and usage of individual secrets is accomplished through communication with the Credential Provider, not through the AIM WebService.

      Note "legacy" mode

      Prior versions of Runbook Automation used legacy mode to use the REST API. To support prior versions, legacy can still be used in the Mode field, and it will behave the same as REST.

    • The CCP mode will get secrets using the Central Credential Provider (CCP) web service configuration. To setup Cyberark for this method follow this documentation.
      This mode has a limitation that it is unable to list the keys in safes. When writing Process Automation jobs the job author will need to manually enter the path to the key using the following format:
      [provider_path]/[safe]/path/to/secret.pem

      • provider_path is specified in the config. Commonly it is set as keys but could be different.
      • safe is the Cyberark Safe where the key is stored.
      • path/to is the folder path within the safe where the key is stored.
      • secret.pem is the unique name of the key in that particular folder.

  • Base URL: The base URL for the CyberArk account where the secrets should be saved. Use the format: https://[urltoyourserver]:[port].

  • Credential Provider URL: (Optional) The URL for the Central Credential Provider Web Service. Defaults to the Base URL.

  • Name of CCP WebService: If using ccp mode this can be used to specify the name of the CCP Web Service. Default (if setting is not specified) is AIMWebService.

  • CCP AppID: WebService AppID of the Central Credential Provider used to retrieve accounts and passwords.

  • Credential Safe: CyberArk Credential Provider Safe for REST API mode.

  • Credential Path: CyberArk Credential Provider Safe for REST API mode.

  • Credential AppID: CyberArk Credential Provider AppId for REST API mode.

  • Username: If using basic authentication, this is the username for an account with access to the secrets that will be used in Runbook Automation.

  • Password: The password for a user in the account where the secrets are stored.

    Less secure authentication

    It is not recommended to use basic authentication with Username and Password. It is recommended to use the Credential Safe, Path and AppID to retrieve REST credentials from the CCP.

  • Client KeyStore: The path to the key store that contains the client certificate. (Must be of type JKS)

  • Client KeyStore Password: The password for the key store that contains the client certificate.

  • Root CA KeyStore: The path to the key store containing the RootCA certificate. (Must be of type JKS)

  • Root CA KeyStore Password: The password for the key store containing the RootCA certificate.

  • Private KeyStore: The path to the key store containing the user's private key. (Must be of type JKS)

  • Private KeyStore Password: The password for the key store containing the user's private key.

  • PrivateKey Password: Password to access the private key.

  • Root CA Name: The name that the Root CA Certificate is saved under in the key store.

  • Client Certificate Name: The name that the Client Certificate is saved under in the key store.

  • Private Key Name: Alias for the private key in the keystore.

  • Platform ID: (Optional) Platform ID to use when creating a new secret from Runbook Automation's key storage.

  • Create Username: (Optional) Default username applied when creating a new password entry in CyberArk. This is only applicable when using Runbook Automation to create new entries in CyberArk.

Below is an example configuration:

CyberArk Full Config

Integration Through Enterprise Runner

The Enterprise Runner can be used to integrate with CyberArk. This is useful when CyberArk is hosted in an environment that is not directly accessible from Runbook Automation - whether self-hosted or Cloud.

The following provides examples of how to configure the Enterprise Runner to connect to CyberArk:

YAML Config File

Custom properties for the Runner can be set through a .yaml file:

runner:
  rundeck:
      storage:
        cyberark:
          type: "cyberark-storage"
          pathBehavior: "predefined"
          configuration:
            baseURL: "https://services-uswest.skytap.com:14417"
            username: "Administrator"
            password: "myPassword"
            appId: "testappid"
            clientKeyStore: /etc/rundeck/cyberark/clientkeystore
            clientKeyStorePassword: "myClientPass"
            rootCAKeyStore: /etc/rundeck/cyberark/rootkeystore
            rootCAKeyStorePassword: "myRootPass"
            privateKeyStore: /etc/rundeck/cyberark/privatekeystore.jks
            privateKeyStorePassword: "myPrivatePass"
            privateKeyPassword: "myPrivateKeyPass"
            privateKeyName: "client_1-28"
            rootCAName: "rootcert"
            clientCertName: "clientcert"

Save this file in the directory where the Runner .jar is located and then invoke the Runner with the following command:

java -Dmicronaut.config.files=runner-props.yaml -jar runner-{{unique-runner-id}}.jar

CCP Mode

CCP Mode requires the explicit configuration of the availability check path that is used to determine if the CyberArk service is available.

    runner:
      rundeck:
          storage:
            cyberark:
              availabilityCheckPath: WinServerLocal-account-Administrator
              <...>
              configuration:
                mode: ccp
                <...>