Skip to main content

Celonis Product Documentation

Using Cyberark as a Password Provider

When extracting data from a database via JDBC, the connection is established using the credentials stored in the EMS to send requests.

While Celonis’ security policy prescribes that all used credentials are stored encrypted within the EMS, we do acknowledge that some of our customer’s security policies do not allow them to store these credentials in the cloud or use plain text passwords.

For these cases, Cyberark as a password management provider can be integrated. The CyberArk agent is installed on the same on-premises Extractor Server in the customer’s network and provides the password for the database connection.

The actual password is constantly changing, only known by Cyberark and the database credentials are not stored in the EMS.

This document is prepared as a configuration guide to use Cyberark as a password provider in the EMS Data Integration.

Requirements

  • A Cyberark string needs to be prepared for the password that needs to be fetched from Cyberark.

    • An example Cyberark string: cyberark-sdk:appID=MY_APP_ID&safe=MY_SAFE&folder=MY_FOLDER&policyId=MY_POLICY_ID&Object=MY_OBJECT&reason=MY_REASON

  • In order for Cyberark integration to work, a Cyberark agent needs to be installed in the same server where the extractor server is installed

    • On Linux, the service can be checked with the command below:

      sudo service aimprv start
sudo service aimprv status

  • The Cyberark agent needs to be able to resolve the Cyberark string that is going to be used. Please test the Cyberark string with the local agent before testing with EMS.

    • On Linux, the password string for the example above can be retrieved with the command below:

      /opt/CARKaim/sdk/clipasswordsdk GetPassword \
    -p AppDescs.AppID="MY_APP_ID" \
    -p Query="Safe=MY_SAFE;Object=MY_OBJECT"\
    -o Password
Configuration

Step 1: In the related database connection configuration, the Cyberark string needs to be provided in the password field:

50745839.png

Step 2: In the application-local.yml file of the extractor application, the following configuration needs to be added:

credentialsProvider:
  enabled: true
  type: CYBERARK_SDK

This looks like the following:

50745840.png

Step 3: Restart the extractor server

Troubleshooting Cyberark

For security reasons, error messages are not displayed in the EMS. In case of errors please refer to the application logs of the extractor server.