USER MANUALS

CyberArk

Virtual DataPort can obtain the credentials from the CyberArk Vault in two ways:

  1. Agent mode. In this mode, the data source requests the credentials to a CyberArk agent that has been installed in the same computer as the Denodo Platform. This uses the Agent Based Credential Provider (CP) of CyberArk.

  2. Agentless mode. In this mode, the data source requests the credentials to the service AIMWebService of CyberArk.

CyberArk: Agent Mode

In “Agent Mode”, Virtual DataPort requests the credentials to connect to the database, from the CyberArk agent that runs on the same computer as the Denodo Platform.

Follow these steps to enable the integration with CyberArk.

Step #1: Install the CyberArk Agent

Install the CyberArk Agent on the same computer as the Denodo Platform. Refer to the CyberArk “Credential Provider and ASCP Implementation Guide” to learn how to install the agent.

After installing the agent, obtain the “hash” that will represent Denodo. On Windows, execute this command (for Linux, execute the equivalent command):

cd C:\Program Files (x86)\CyberArk\ApplicationPasswordProvider\Utils
AIMGetAppInfo.exe GetHash

At the prompt, provide the path to <DENODO_HOME>/lib/contrib/denodo-commons-vault.jar. The output will be like this:

Application file full path [mandatory] ==> DENODO_HOME/lib/contrib/denodo-commons-vault.jar
FC11BA736FC0AB66301B160F7FC37D496EBC3B6B
Command ended successfully

Copy this output; you will need it in the next step.

Step #2: Define the Application ID (APPID) in the CyberArk Password Vault

Define an Application ID (APPID) for the Denodo Platform. Refer to the documentation of CyberArk Password Vault Web Access (PVWA) to learn how to register an application in CyberArk.

After registering the application, you have to define the Authentication Details.

  • If you add OS user, enter the user name of the account you use to start Virtual DataPort.

  • If you add Path, enter the path to <DENODO_HOME>/lib/contrib/denodo-commons-vault.jar (replace “<DENODO_HOME>” with the actual path).

  • If you add Hash, use the hash you obtained in “Step #1”.

    Note

    This hash may change after installing an update of Denodo so, after installing an update, run the “AIMGetAppInfo” utility to check if the hash has changed. If it has changed, add the new hash and consider keeping the existing one if you have Denodo servers running different updates.

Step #3: Enable the CyberArk Integration - Agent Mode in Virtual DataPort

Once you defined the application in CyberArk, you have to enable the integration in Virtual DataPort. Follow these steps:

  1. Locate the file JavaPasswordSDK.jar in the installation of the CyberArk Agent. It is usually located in <CYBERARK_AGENT_HOME>/CyberArk/ApplicationPasswordSdk/JavaPasswordSDK.jar. You will use it later.

  2. Open the Administration Tool of Virtual DataPort and log in with an administrator account.

  3. Click the menu File > Extension management.

  4. In this dialog, click the tab Libraries and click Import.

  5. In Resource type, select Vault and then, CyberArk. Click Add and select the file JavaPasswordSDK.jar (note that this shows the content of the computer of your Administration Tool, not the content of the Virtual DataPort server).

  6. Click Ok and Ok again to upload this library.

  7. Restart Virtual DataPort.

  8. Log in again.

  9. On the menu Administration, click Server configuration and then, click the tab Credentials vault.

  10. In this tab, select Use external credentials vault and then, set Provider to CyberArk (agent mode).

  11. In Application Id, enter the application name with which you registered Denodo in CyberArk. For example, “denodo_production”.

  12. Click Ok to save the changes.

Enabling CyberArk Agent Mode

After doing this, you can configure your JDBC data sources with the option Obtain credentials from password vault.

Application Configuration for Agent Mode

CyberArk can use the following options for authenticating an application accessing through Agent Mode. These options are configured by Application Id at CyberArk side.

  • The HASH of the application.

    For obtaining the HASH value of Virtual DataPort use AIMGetAppInfo script. It is available at CyberArk SDK installation. For example:

    C:\Program Files (x86)\CyberArk\ApplicationPasswordProvider\Utils>AIMGetAppInfo.exe GetHash
      Application file full path [mandatory] ==> DENODO_HOME/lib/contrib/denodo-commons-vault.jar
      FC11BA736FC0AB66301B160F7FC37D496EBC3B6B
      Command ended successfully
    

    Returned value must be configured at CyberArk for restricting access by HASH.

    Note

    Use this application path to calculate the HASH: <DENODO_HOME>/lib/contrib/denodo-commons-vault.jar

    Warning

    HASH value could change after installing a new Denodo update.

  • The PATH of the application.

    For restricting application access by PATH, configure the following value at CyberArk:

    <DENODO_HOME>/lib/contrib/denodo-commons-vault.jar
    

CyberArk: AgentLess Mode

In the agentless mode, the data source will request the credentials to the service AIMWebService of CyberArk. This uses the Agentless Central Credential Provider (CCP) of CyberArk.

Enabling CyberArk AgentLess Mode

Follow these steps to enable this:

  1. Log in to the CyberArk Password Vault Web Access (PVWA) with a user account allowed to manage applications (it requires Manage Users authorization).

  2. In the Applications tab, click Add Application to define an Application ID (APPID) for the Denodo Platform.

    Refer to the documentation of CyberArk Password Vault Web Access (PVWA) to learn how to register an application in CyberArk.

  3. Open the Administration Tool and log in with an administrator user.

  4. On the menu Administration, click Server configuration and then, click the tab Credentials vault.

  5. In this tab, select Use external credentials vault and then, set Provider to CyberArk (agentless mode).

  6. In this form, enter this information:

  • Application Id: the identifier of the application at CyberArk Vault.

  • URL: URL of the AIMWebService of CyberArk. For example, https://cyberark-server.acme.com/AIMWebService/api/Accounts.

  • Client certificate (private key): click Browse to upload the file that contains the private key used for authenticating previous Application Id in the CyberArk Vault. It has to be a PFX or PKCS#12 file.

    • Password: the password of the Client certificate.

  • Certificate of Certification Authority (CA) (optional): click Browse to upload the file that contains the certificate used for validating the response from CyberArk Vault. It has to be a PFX or PKCS#12 file or a X509 certificate. You only need this if the vault uses a certificate that is not widely recognized.

    • Password (optional): the password of the Certificate of Certification Authority (CA). If you provide a X509 certificate, this password is ignored.

Click Ok to apply the changes. The changes are applied immediately, you do not need to restart.

Naming Convention for CyberArk Accounts

CyberArk Vault stores credentials information using objects named Accounts. These objects are located inside another entity named Safe. For identifying a unique CyberArk Account, Virtual DataPort needs to supply a Safe and an Account name.

In the configuration of the data sources, when you provide the value in the box Account name, you have to enter this with the format

<SafeName>\<AccountName>

For example, to use a CyberArk Account called “my-database-account” of the Safe “DenodoSafe”, enter this:

DenodoSafe\my-database-account

How Virtual DataPort Retrieves the Credentials from CyberArk

See How A Data Source Obtains the Credentials from the Vault in the previous page. This process is the same regardless of you use agent mode or agentLess mode.

Add feedback