Tomcat Configuration for CyberArk Integration

Although this blog post is setup in context of a FlexDeploy installation, it will be useful for anyone using Java web applications on Tomcat who wants to integrate Tomcat with CyberArk for data source passwords.

As you can see on FlexDeploy installation, the password for database is defined in context.xml file and is in clear text. There are two ways to configure Tomcat to get password during connection request from CyberArk.

  1. Use property source configuration, you will need to write java code to get password from CyberArk.
  2. Use Application Server Credential Provider utility from CyberArk.

Let’s discuss Application Server Credential Provider configuration.

First copy CACredTCMapper550.jar and javapasswordsdk.jar to Tomcat lib directory. In case of FlexDeploy, this would be <FlexDeploy Home>/apache-tomcat-flexdeploy/lib folder. You will need to download these files from CyberArk site.

Now configure context.xml as shown below. Keep in mind that credential query syntax is slightly different for this setup. For example, I am normally using query as safe=Database%20Accounts;folder=root;object=fd_admin but in case of context.xml setup, I need to use safe:Database%20Accounts,folder:Root,object:fd_admin. Basically = is replaced by : and ; is replaced by comma(,).

Additionally this example is for PostgreSQL database, if you are using other database then just replace driver appropriately.

<Resource name="jdbc/flexdbDS" auth="Container"
        type="javax.sql.DataSource"
        factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
        driverClassName="com.cyberark.aim.v550.tomcat.ASCPDriver"
        vendorDriver="org.postgresql.Driver"

        userPropertyName="user"
        passwordPropertyName="password"

        connectionProperties="appId=App_FlexDeploy;query=safe:Database%20Accounts,folder:Root,object:fd_admin"

        url="vendorDriver=org.postgresql.Driver;jdbc:postgresql://dbpostgres1:5432/flexdeploy"

        maxTotal="100"
        maxIdle="20"

        validationQuery="select 1"
        testOnBorrow="true"

        defaultTransactionIsolation="READ_COMMITTED"
        useLocalSessionState="true"
        defaultAutoCommit="false"/>

Now start Tomcat and you will never have to worry about setting password in context.xml file!

Want to automate your Tomcat deployments?

Automate Tomcat

Chandresh Patel

I have been working with Java EE technologies since 2000. After implementing IBM WebSphere and custom framework solutions, my past 10 years have been focused on Oracle Fusion Middleware such as WebLogic, ADF, WebCenter and Coherence. I have been part of many automation projects in the past and have a passion for automation capabilities to help our customers deliver software faster and with higher quality. In my current role as a Principal Architect at Flexagon, I am driving the FlexDeploy product strategy and development to build DevOps/CI/CD features that help our customers.

More posts by Chandresh Patel
    

Leave a Reply

Your email address will not be published. Required fields are marked *