Although this blog post is setup in context of a FlexDeploy installation, it will be useful for anyone using Java web applications on Tomcat who wants to integrate Tomcat with CyberArk for data source passwords.
As you can see on FlexDeploy installation, the password for database is defined in context.xml file and is in clear text. There are two ways to configure Tomcat to get password during connection request from CyberArk.
- Use property source configuration, you will need to write java code to get password from CyberArk.
- Use Application Server Credential Provider utility from CyberArk.
Let’s discuss Application Server Credential Provider configuration.
First copy CACredTCMapper550.jar and javapasswordsdk.jar to Tomcat lib directory. In case of FlexDeploy, this would be <FlexDeploy Home>/apache-tomcat-flexdeploy/lib folder. You will need to download these files from CyberArk site.
Now configure context.xml as shown below. Keep in mind that credential query syntax is slightly different for this setup. For example, I am normally using query as safe=Database%20Accounts;folder=root;object=fd_admin but in case of context.xml setup, I need to use safe:Database%20Accounts,folder:Root,object:fd_admin. Basically = is replaced by : and ; is replaced by comma(,).
Additionally this example is for PostgreSQL database, if you are using other database then just replace driver appropriately.
<Resource name="jdbc/flexdbDS" auth="Container" type="javax.sql.DataSource" factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" driverClassName="com.cyberark.aim.v550.tomcat.ASCPDriver" vendorDriver="org.postgresql.Driver" userPropertyName="user" passwordPropertyName="password" connectionProperties="appId=App_FlexDeploy;query=safe:Database%20Accounts,folder:Root,object:fd_admin" url="vendorDriver=org.postgresql.Driver;jdbc:postgresql://dbpostgres1:5432/flexdeploy" maxTotal="100" maxIdle="20" validationQuery="select 1" testOnBorrow="true" defaultTransactionIsolation="READ_COMMITTED" useLocalSessionState="true" defaultAutoCommit="false"/>
Now start Tomcat and you will never have to worry about setting password in context.xml file!
Want to automate your Tomcat deployments?