Although this blog post is setup in context of a FlexDeploy installation, it will be useful for anyone using Java web applications on Tomcat who wants to integrate Tomcat with CyberArk for data source passwords.
As you can see on FlexDeploy installation, the password for database is defined in context.xml file and is in clear text. There are two ways to configure Tomcat to get password during connection request from CyberArk.
- Use property source configuration, you will need to write java code to get password from CyberArk.
- Use Application Server Credential Provider utility from CyberArk.
Let’s discuss Application Server Credential Provider configuration.
First copy CACredTCMapper550.jar and javapasswordsdk.jar to Tomcat lib directory. In case of FlexDeploy, this would be <FlexDeploy Home>/apache-tomcat-flexdeploy/lib folder. You will need to download these files from CyberArk site.
Now configure context.xml as shown below. Keep in mind that credential query syntax is slightly different for this setup. For example, I am normally using query as safe=Database%20Accounts;folder=root;object=fd_admin but in case of context.xml setup, I need to use safe:Database%20Accounts,folder:Root,object:fd_admin. Basically = is replaced by : and ; is replaced by comma(,).
Additionally this example is for PostgreSQL database, if you are using other database then just replace driver appropriately.
<Resource name="jdbc/flexdbDS" auth="Container" type="javax.sql.DataSource" factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" driverClassName="com.cyberark.aim.v550.tomcat.ASCPDriver" vendorDriver="org.postgresql.Driver" userPropertyName="user" passwordPropertyName="password" connectionProperties="appId=App_FlexDeploy;query=safe:Database%20Accounts,folder:Root,object:fd_admin" url="vendorDriver=org.postgresql.Driver;jdbc:postgresql://dbpostgres1:5432/flexdeploy" maxTotal="100" maxIdle="20" validationQuery="select 1" testOnBorrow="true" defaultTransactionIsolation="READ_COMMITTED" useLocalSessionState="true" defaultAutoCommit="false"/>
Now start Tomcat and you will never have to worry about setting password in context.xml file!
Learn more about FlexDeploy and its out-of-the-box support for over 100 tools and technologies and download the datasheet today.
2 thoughts on “Tomcat Configuration for CyberArk Integration”
Can this be called from the catalina.properties file to get passwords for keystores, etc. during startup? If so, do you have an example of doing this with those jar files?
I believe you can do that, but do not have example of this. Please refer to https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html. You will need custom implementation of Property Source, which can invoke CyberArk command line to get credential values.