Applicable versions:
Status | ||||
---|---|---|---|---|
|
General Information
AAM Integration Template:
With this integration, the Celonis end-user does not have to enter sensitive database credentials into the configuration files or the frontend of the application anymore. This article is restricted to the end-user facing configuration.
Please find the step-by-step description for the technical setup in the AAM Integration Template. The technical preparation of Celonis 4 is described in the updated Operation Guide.
Note: Requires an active and licensed CyberArk Privileged Access Security Solution.
View file | ||||
---|---|---|---|---|
|
Prerequisites
- The
javapasswordsdk.jar
runtime library supplied by CyberArk has been placed in the<installDir>/lib
folder in the Celonis 4 installation directory. - The CyberArk Credential Provider Agent (
aimprv
service on Linux,CyberArk Application Password Provider Service
on Windows) is running on the same instance as the Celonis service.
Password retrieval - configuration files
After connecting Celonis to CyberArk, the Java Properties of every custom *.properties
file inside the Celonis installation directory can be configured for retrieval via CyberArk.
The properties to be retrieved via CyberArk need to have the following format:
Code Block | ||
---|---|---|
| ||
<<property.name>>=cyberark-sdk:<<LIST_OF_OBJECT_ARGUMENTS>> |
With:
< <property.name>> | Java Property name to be retrieved. For example database.password. |
cyberark-sdk: | Mandatory prefix for the use of CyberArk (colon included) |
<<LIST_OF_OBJECT_ARGUMENTS>> | URL-encoded string of CyberArk object request arguments (e.g. AppID, Safe, Object, Reason) in a URL query format. Properties are separated by “&”. Property name and value are separated by “=”. |
Example:
Code Block | ||
---|---|---|
| ||
database.password=cyberark-sdk:appid=yourcompanyappid&safe=safename&object=objectname&reason=cpm4-application-db-configuration |
Notes:
appid, safe, object
andreason
are typical CyberArk request arguments. This example could be extended according to all single String setter names (e.g. setPolicyID(String) -> policyid, setFolder(String) -> folder, ...) that are supported by the CyberArk Java SDK. Please follow thePSDKPasswordRequest
java class documentation for all supported arguments.- The request arguments are case-insensitive
- As
<<LIST_OF_OBJECT_ARGUMENTS>>
is a URL-encoded string, one could leverage the usage by URL-encoding the values. For example the request with reason="Some reason” and extended chars: []{}\\/ [陰]{陽}" could look like this:
Code Block | ||
---|---|---|
| ||
database.password=cyberark-sdk:appid=testappid&safe=test&object=cpm4&reason= %22Some%20weird%20quoted%20reasn'%20with%20extended%20chars%3A%20%5B%5D%7B%7D%2F%2C%20and%20chinese%20hieroglyphs%20%5B%E9%99%B0%5D%7B%E9%99%BD%7D%22 |
Password retrieval - frontend
The frontend configuration follows the same rules as & notesas the configuration of the properties. Retrieving the passwords requires the following format:
Code Block | ||
---|---|---|
| ||
cyberark-sdk:<<LIST_OF_OBJECT_ARGUMENTS>> |
Example:
Code Block | ||
---|---|---|
| ||
cyberark-sdk:appid=yourcompanyappid&safe=safename&object=objectname&reason=cpm4-application-db-configuration |
Applicable passwords in the frontend
Database connections
The "password" to connect to a database from within a Data Model.
Source configurations
- “LDAP password” in System Settings → Source Configurations → LDAP Sources
- “Database password” in System Settings → Source Configurations → Database Sources:
SMTP Server configuration
SMTP Server Password in System Settings → Mail