CyberArk AAM Integration - Password Retrieval

Applicable versions: CPM 4.7.1

General Information

AAM Integration Template:

With this integration, the Celonis end-user does not have to enter sensitive database credentials into the configuration files or the frontend of the application anymore.

Please find the step-by-step description for the technical setup in the AAM Integration Template. The technical preparation of Celonis 4 is also described in more detail in the Operation Guide.

Note: Requires an active and licensed CyberArk Privileged Access Security Solution.

Prerequisites

The javapasswordsdk.jar runtime library supplied by CyberArk has been placed in the <installDir>/lib folder in the Celonis 4 installation directory.
The CyberArk Credential Provider Agent (aimprv service on Linux, CyberArk Application Password Provider Service on Windows) is running on the same instance as the Celonis service.

Password retrieval - configuration files

After connecting Celonis to CyberArk, the Java Properties of every custom *.properties file inside the Celonis installation directory can be configured for retrieval via CyberArk.

The properties to be retrieved via CyberArk need to have the following format:

<<property.name>>=cyberark-sdk:<<LIST_OF_OBJECT_ARGUMENTS>>

With:

`<` `<property.name>>`	Java Property name to be retrieved. For example database.password.
`cyberark-sdk:`	Mandatory prefix for the use of CyberArk (colon included)
`<<LIST_OF_OBJECT_ARGUMENTS>>`	URL-encoded string of CyberArk object request arguments (e.g. AppID, Safe, Object, Reason) in a URL query format. Properties are separated by “&”. Property name and value are separated by “=”.

Example:

database.password=cyberark-sdk:appid=yourcompanyappid&safe=safename&object=objectname&reason=cpm4-application-db-configuration

Notes:

appid, safe, object and reason are typical CyberArk request arguments. This example could be extended according to all single String setter names (e.g. setPolicyID(String) -> policyid, setFolder(String) -> folder, ...) that are supported by the CyberArk Java SDK. Please follow the PSDKPasswordRequest java class documentation for all supported arguments.
The request arguments are case-insensitive
As <<LIST_OF_OBJECT_ARGUMENTS>> is a URL-encoded string, one could leverage the usage by URL-encoding the values. For example the request with reason="Some reason” and extended chars: []{}\\/ [陰]{陽}" could look like this:

database.password=cyberark-sdk:appid=testappid&safe=test&object=cpm4&reason= %22Some%20weird%20quoted%20reasn'%20with%20extended%20chars%3A%20%5B%5D%7B%7D%2F%2C%20and%20chinese%20hieroglyphs%20%5B%E9%99%B0%5D%7B%E9%99%BD%7D%22

Password retrieval - frontend

The frontend configuration follows the same rules & notesas the configuration of the properties. Retrieving the passwords requires the following format:

cyberark-sdk:<<LIST_OF_OBJECT_ARGUMENTS>>

Example:

cyberark-sdk:appid=yourcompanyappid&safe=safename&object=objectname&reason=cpm4-application-db-configuration

Applicable passwords in the frontend

Database connections

The "password" to connect to a database from within a Data Model.

Source configurations

“LDAP password” in System Settings → Source Configurations → LDAP Sources
“Database password” in System Settings → Source Configurations → Database Sources:

SMTP Server configuration

SMTP Server Password in System Settings → Mail

CPM