Using Cyberark as a Password Provider
When extracting data from a database via JDBC, the connection is established using the credentials stored in the EMS to send requests.
While Celonis’ security policy prescribes that all used credentials are stored encrypted within the EMS, we do acknowledge that some of our customer’s security policies do not allow them to store these credentials in the cloud or use plain text passwords.
For these cases, Cyberark as a password management provider can be integrated. The CyberArk agent is installed on the same on-premises Extractor Server in the customer’s network and provides the password for the database connection.
The actual password is constantly changing, only known by Cyberark and the database credentials are not stored in the EMS.
This document is prepared as a configuration guide to use Cyberark as a password provider in the EMS Data Integration.
Requirements
A Cyberark string needs to be prepared for the password that needs to be fetched from Cyberark.
An example Cyberark string: cyberark-sdk:appID=MY_APP_ID&safe=MY_SAFE&folder=MY_FOLDER&policyId=MY_POLICY_ID&Object=MY_OBJECT&reason=MY_REASON
In order for Cyberark integration to work, a Cyberark agent needs to be installed in the same server where the extractor server is installed
On Linux, the service can be checked with the command below:
sudo service aimprv start sudo service aimprv status
The Cyberark agent needs to be able to resolve the Cyberark string that is going to be used. Please test the Cyberark string with the local agent before testing with EMS.
On Linux, the password string for the example above can be retrieved with the command below:
/opt/CARKaim/sdk/clipasswordsdk GetPassword \ -p AppDescs.AppID="MY_APP_ID" \ -p Query="Safe=MY_SAFE;Object=MY_OBJECT"\ -o Password
Configuration
Step 1: In the related database connection configuration, the Cyberark string needs to be provided in the password field:
![]() |
Step 2: In the application-local.yml file of the extractor application, the following configuration needs to be added:
credentialsProvider: enabled: true type: CYBERARK_SDK
This looks like the following:
![]() |
Step 3: Restart the extractor server
Troubleshooting Cyberark
For security reasons, error messages are not displayed in the EMS. In case of errors please refer to the application logs of the extractor server.