In this previous blog entry we discussed FlexDeploy integration with external credential stores. Now let’s explore specifics of integration with CyberArk AAM.
FlexDeploy provides two out of box options for integration with CyberArk AAM:
- Command line option with Agent and
- HTTP call to AIM webservice.
Here are high level integration steps for either type of CyberArk AAM integration:
- Configure credential store in FlexDeploy with details necessary to interact with CyberArk
- Configure individual credential for each secret value necessary
- Use credential in build/deploy configurations
Configure agent integration
For integration using agent, first you need to install and configure CyberArk agent on the FlexDeploy server, which will setup clipasswordsdk executable in /opt/CARKaim/sdk. Now create credential store configuration using CyberArk AAM Agent provider and provide location of clipasswordsdk.
FlexDeploy will invoke command line to get secret. For example,
/opt/CARKaim/sdk/clipasswordsdk GetPassword -p AppDescs.AppID=AppID1 -p Query=”safe=Database%20Accounts;folder=root;object=apps” -o Password
Configure webservice integration
For integration using webservice, you need various details like CyberArk URL and Client Certificate. Client certificate is used for authentication. If you are using self signed certificates, you need to provide server certificate as well. Now create credential store configuration using CyberArk AAM provider and provide various details.
FlexDeploy will invoke webservice to get secret. For example,
https://services-uscentral.skytap.com:17052/AIMWebservice/api/Accounts?AppID=AppId1&Query=safe=Database%20Accounts;folder=root;object=apps
Configure credential
For each secret value that you want to use from CyberArk AAM, configure credential with unique name. In either type of integration, you will need to provide Application Id and Query. Query contains details like safe, folder and object.
Now use credential as necessary in FlexDeploy configurations.
FlexDeploy will retrieve secret from CyberArk as necessary and will not cache or print it. This will allow you to update credentials as per your organization policies and not have to worry about updating FlexDeploy configurations.
See FlexDeploy Documentation for more detailed instructions.
You can try FlexDeploy for Free to try features described in this blog.