CyberArk AAM Integration - Password Retrieval
Important
FedRAMP users should not establish any database connections without consulting Celonis first. For more information, contact Support.
Applicable versions: CPM 4.7.1
General Information
AAM Integration Template:
With this integration, the Celonis end-user does not have to enter sensitive database credentials into the configuration files or the frontend of the application anymore.
Please find the step-by-step description for the technical setup in the AAM Integration Template. The technical preparation of Celonis 4 is also described in more detail in the Operation Guide.
Note: Requires an active and licensed CyberArk Privileged Access Security Solution.
Prerequisites
The
javapasswordsdk.jarruntime library supplied by CyberArk has been placed in the<installDir>/libfolder in the Celonis 4 installation directory.The CyberArk Credential Provider Agent (
aimprvservice on Linux,CyberArk Application Password Provider Serviceon Windows) is running on the same instance as the Celonis service.
Password retrieval - configuration files
After connecting Celonis to CyberArk, the Java Properties of every custom *.properties file inside the Celonis installation directory can be configured for retrieval via CyberArk.
The properties to be retrieved via CyberArk need to have the following format:
<<property.name>>=cyberark-sdk:<<LIST_OF_OBJECT_ARGUMENTS>>
With:
| Java Property name to be retrieved. For example database.password. |
| Mandatory prefix for the use of CyberArk (colon included) |
| URL-encoded string of CyberArk object request arguments (e.g. AppID, Safe, Object, Reason) in a URL query format. Properties are separated by “&”. Property name and value are separated by “=”. |
Example:
database.password=cyberark-sdk:appid=yourcompanyappid&safe=safename&object=objectname&reason=cpm4-application-db-configuration
Notes:
appid, safe, objectandreasonare typical CyberArk request arguments. This example could be extended according to all single String setter names (e.g. setPolicyID(String) -> policyid, setFolder(String) -> folder, ...) that are supported by the CyberArk Java SDK. Please follow thePSDKPasswordRequestjava class documentation for all supported arguments.The request arguments are case-insensitive
As
<<LIST_OF_OBJECT_ARGUMENTS>>is a URL-encoded string, one could leverage the usage by URL-encoding the values. For example the request with reason="Some reason” and extended chars: []{}\\/ [陰]{陽}" could look like this:
database.password=cyberark-sdk:appid=testappid&safe=test&object=cpm4&reason= %22Some%20weird%20quoted%20reasn'%20with%20extended%20chars%3A%20%5B%5D%7B%7D%2F%2C%20and%20chinese%20hieroglyphs%20%5B%E9%99%B0%5D%7B%E9%99%BD%7D%22
Password retrieval - frontend
The frontend configuration follows the same rules & notesas the configuration of the properties. Retrieving the passwords requires the following format:
cyberark-sdk:<<LIST_OF_OBJECT_ARGUMENTS>>
Example:
cyberark-sdk:appid=yourcompanyappid&safe=safename&object=objectname&reason=cpm4-application-db-configuration
Applicable passwords in the frontend
Important
FedRAMP users should not establish any database connections without consulting Celonis first. For more information, contact Support.
Database connections
The "password" to connect to a database from within a Data Model.
 |
Source configurations
“LDAP password” in System Settings → Source Configurations → LDAP Sources
“Database password” in System Settings → Source Configurations → Database Sources:
 |
SMTP Server configuration
SMTP Server Password in System Settings → Mail
 |