Skip to main content

Celonis Product Documentation

Password Provider Solutions
Using a Custom Password Provider

When extracting data from a database via JDBC, the connection is established using the credentials stored in the EMS to send requests.

While Celonis’ security policy prescribes that all used credentials are stored encrypted within the EMS, we do acknowledge that some of our customer’s security policies do not allow them to store these credentials in the cloud or use plain text passwords.

For these cases, a custom password management provider can be integrated.The custom password provider needs to be packaged as a jar file and added to the class path of the extractor application.

This document is prepared as a configuration guide to use a custom password provider in the EMS Data Integration.

Step 1: Define your custom password provider

The first step to define your custom password provider is to implement a custom password provider. For this you will need our connector-external-clients.jar library. With this library, you can implement a simple custom password provider like below:

package com.mycompany;

import cloud.celonis.connector.external.client.model.PasswordRequest;
import cloud.celonis.connector.external.client.model.PasswordResponse;
import cloud.celonis.connector.external.client.passwordprovider.CustomPasswordProvider;

public class MyConfidentialPasswordProvider implements CustomPasswordProvider {

    public PasswordResponse getPassword(PasswordRequest passwordRequest) {
        PasswordResponse passwordResponse = new PasswordResponse();
        passwordResponse.setPassword(myInternalPasswordProvider.getPassword());
        return passwordResponse;
    }
}

CustomPasswordProvider: can be used for providing the source system password or proxy passwords. In addition to this, you can provide passwords for multiple source systems. In order to differentiate between different types of password requests, you can use the PasswordRequest object.

PasswordRequest.passwordType: An enum of type PasswordType, describing the type of password requested. Possible values are SOURCE_SYSTEM,PROXY,INTERNAL_PROXY

PasswordRequest.host: This field will be populated with the Server Name you specified in the data connection if the passwordType is SOURCE_SYSTEM. If the passwordType is PROXY or INTERNAL_PROXY, this field will be populated with the host in the proxy configuration.

PasswordRequest.username: This field will be populated with the Username you specified in the data connection if the passwordType is SOURCE_SYSTEM. If the passwordType is PROXY or INTERNAL_PROXY, this field will be populated with the user in the proxy configuration.

PasswordRequest.password: This field will be populated with the Password you specified in the data connection if the passwordType is SOURCE_SYSTEM. If the passwordType is PROXY or INTERNAL_PROXY, this field will be populated with the password in the proxy configuration.

You can see a sample password provider that uses the PasswordRequest object to retrieve data for proxy and different source systems:

package com.mycompany;

import cloud.celonis.connector.external.client.model.PasswordRequest;
import cloud.celonis.connector.external.client.model.PasswordResponse;
import cloud.celonis.connector.external.client.passwordprovider.CustomPasswordProvider;

public class MyConfidentialPasswordProvider implements CustomPasswordProvider {

    public PasswordResponse getPassword(PasswordRequest passwordRequest) {
        PasswordResponse passwordResponse = new PasswordResponse();
        if(passwordRequest.getPasswordType() == PasswordType.PROXY) {
            passwordResponse.setPassword(myInternalPasswordProvider.getProxyPassword());
        } else if (passwordRequest.getHost().equals("prod-server-01") && passwordRequest.getUsername().equals("celonis")) {
            passwordResponse.setPassword(myInternalPasswordProvider.getPasswordForProdServer01());
        } else if (passwordRequest.getHost().equals("prod-server-02") && passwordRequest.getUsername().equals("celonis")) {
            passwordResponse.setPassword(myInternalPasswordProvider.getPasswordForProdServer02());
        } else {
            passwordResponse.setPasswordResponseStatus(PasswordResponseStatus.FAILED);
        }
        return passwordResponse;
    }
}
Step 2: Register your custom password provider to the JDBC Extractor Application

In order to register your custom password provider, you need to add the following configuration to your application-local.yml file:

credentialsProvider:
     enabled: true
     type: CUSTOM_CREDENTIALS_PROVIDER
     CUSTOM_CREDENTIALS_PROVIDER:
     passwordProviderImplementation: com.mycompany.MyConfidentialPasswordProvider

Second part is to package your custom password provider to a jar file and add it to the class path of the JDBC Extractor Application. This can be achieved with the following command:

java -Dloader.path=mycustom-password-provider-1.0-SNAPSHOT.jar -Dspring.config.location=application-local.yml -jar connector-jdbc.jar
Using Cyberark as a Password Provider

When extracting data from a database via JDBC, the connection is established using the credentials stored in the EMS to send requests.

While Celonis’ security policy prescribes that all used credentials are stored encrypted within the EMS, we do acknowledge that some of our customer’s security policies do not allow them to store these credentials in the cloud or use plain text passwords.

For these cases, Cyberark as a password management provider can be integrated. The CyberArk agent is installed on the same on-premises Extractor Server in the customer’s network and provides the password for the database connection.

The actual password is constantly changing, only known by Cyberark and the database credentials are not stored in the EMS.

This document is prepared as a configuration guide to use Cyberark as a password provider in the EMS Data Integration.

Requirements
  • An example cyberark string: cyberark-sdk:appID=MY_APP_ID&safe=MY_SAFE&folder=MY_FOLDER&policyId=MY_POLICY_ID&Object=MY_OBJECT&reason=MY_REASON

  • On Linux, the service can be checked with the command below:

    sudo service aimprv start
    sudo service aimprv status
  • On Linux, the password string for the example above can be retrieved with the command below:

    /opt/CARKaim/sdk/clipasswordsdk GetPassword \
        -p AppDescs.AppID="MY_APP_ID" \
        -p Query="Safe=MY_SAFE;Object=MY_OBJECT"\
        -o Password
  • A Cyberark string needs to be prepared for the password that needs to be fetched from Cyberark.

  • In order for Cyberark integration to work, a Cyberark agent needs to be installed in the same server where the extractor server is installed

  • The Cyberk agent needs to be able to resolve the Cyberark string that is going to be used. Please test the Cyberark string with the local agent before testing with EMS.

Configuration

Step 1: In the related database connection configuration, the Cyberark string needs to be provided in the password field:

50745839.png

Step 2: In the application-local.yml file of the extractor application, the following configuration needs to be added:

credentialsProvider:
  enabled: true
  type: CYBERARK_SDK

This looks like the following:

50745840.png

Step 3: Restart the extractor server

Troubleshooting

For security reasons, error messages are not displayed in the EMS. In case of errors please refer to the application logs of the extractor server.