FlexDeploy Integration with CyberArk AAM

In this previous blog entry we discussed FlexDeploy integration with external credential stores. Now let’s explore specifics of integration with CyberArk AAM.

FlexDeploy provides two out of box options for integration with CyberArk AAM:

  1. Command line option with Agent and
  2. HTTP call to AIM webservice.

Here are high level integration steps for either type of CyberArk AAM integration:

  1. Configure credential store in FlexDeploy with details necessary to interact with CyberArk
  2. Configure individual credential for each secret value necessary
  3. Use credential in build/deploy configurations

Configure agent integration

For integration using agent, first you need to install and configure CyberArk agent on the FlexDeploy server, which will setup clipasswordsdk executable in /opt/CARKaim/sdk. Now create credential store configuration using CyberArk AAM Agent provider and provide location of clipasswordsdk.

FlexDeploy will invoke command line to get secret. For example,

/opt/CARKaim/sdk/clipasswordsdk GetPassword -p AppDescs.AppID=AppID1 -p Query=”safe=Database%20Accounts;folder=root;object=apps” -o Password

Configure webservice integration

For integration using webservice, you need various details like CyberArk URL and Client Certificate. Client certificate is used for authentication. If you are using self signed certificates, you need to provide server certificate as well. Now create credential store configuration using CyberArk AAM provider and provide various details.

FlexDeploy will invoke webservice to get secret. For example,

https://services-uscentral.skytap.com:17052/AIMWebservice/api/Accounts?AppID=AppId1&Query=safe=Database%20Accounts;folder=root;object=apps

Configure credential

For each secret value that you want to use from CyberArk AAM, configure credential with unique name. In either type of integration, you will need to provide Application Id and Query. Query contains details like safe, folder and object.

Now use credential as necessary in FlexDeploy configurations.

FlexDeploy will retrieve secret from CyberArk as necessary and will not cache or print it. This will allow you to update credentials as per your organization policies and not have to worry about updating FlexDeploy configurations.

See FlexDeploy Documentation for more detailed instructions.

You can try FlexDeploy for Free to try features described in this blog.

Chandresh Patel

I have been working with Java EE technologies since 2000. After implementing IBM WebSphere and custom framework solutions, my past 10 years have been focused on Oracle Fusion Middleware such as WebLogic, ADF, WebCenter and Coherence. I have been part of many automation projects in the past and have a passion for automation capabilities to help our customers deliver software faster and with higher quality. In my current role as a Principal Architect at Flexagon, I am driving the FlexDeploy product strategy and development to build DevOps/CI/CD features that help our customers.

More posts by Chandresh Patel
    

Leave a Reply

Your email address will not be published. Required fields are marked *