CyberArk

Virtual DataPort can obtain the credentials from the CyberArk Vault in two ways:

  1. Agent mode. In this mode, the data source requests the credentials to a CyberArk agent that has been installed in the same computer as the Denodo Platform. This uses the Agent Based Credential Provider (CP) of CyberArk.

  2. Agentless mode. In this mode, the data source requests the credentials to the service AIMWebService of CyberArk.

CyberArk: Agent Mode

In “Agent Mode”, Virtual DataPort requests the credentials to connect to the database, from the CyberArk agent that runs on the same computer as the Denodo Platform.

Follow these steps to enable the integration with CyberArk.

Step #1: Install the CyberArk Agent

Install the CyberArk Agent on the same computer as the Denodo Platform. Refer to the CyberArk “Credential Provider and ASCP Implementation Guide” to learn how to install the agent.

After installing the agent, obtain the “hash” that will represent Denodo. On Windows, execute this command (for Linux, execute the equivalent command):

cd C:\Program Files (x86)\CyberArk\ApplicationPasswordProvider\Utils
AIMGetAppInfo.exe GetHash

At the prompt, provide the path to <DENODO_HOME>/lib/contrib/denodo-commons-vault.jar. The output will be like this:

Application file full path [mandatory] ==> DENODO_HOME/lib/contrib/denodo-commons-vault.jar
FC11BA736FC0AB66301B160F7FC37D496EBC3B6B
Command ended successfully

Copy this output; you will need it in the next step.

Step #2: Define the Application ID (APPID) in the CyberArk Password Vault

Define an Application ID (APPID) for the Denodo Platform. Refer to the documentation of CyberArk Password Vault Web Access (PVWA) to learn how to register an application in CyberArk.

After registering the application, you have to define the Authentication Details.

  • If you add OS user, enter the user name of the account you use to start Virtual DataPort.

  • If you add Path, enter the path to <DENODO_HOME>/lib/contrib/denodo-commons-vault.jar (replace “<DENODO_HOME>” with the actual path).

  • If you add Hash, use the hash you obtained in “Step #1”.

    Note

    This hash may change after installing an update of Denodo so, after installing an update, run the “AIMGetAppInfo” utility to check if the hash has changed. If it has changed, add the new hash and consider keeping the existing one if you have Denodo servers running different updates.

Step #3: Enable the CyberArk Integration - Agent Mode in Virtual DataPort

Once you defined the application in CyberArk, you have to enable the integration in Virtual DataPort. Follow these steps:

  1. Locate the file JavaPasswordSDK.jar in the installation of the CyberArk Agent. It is usually located in <CYBERARK_AGENT_HOME>/CyberArk/ApplicationPasswordSdk/JavaPasswordSDK.jar. You will use it later.

  2. Open the Administration Tool of Virtual DataPort and log in with an administrator account.

  3. Click the menu File > Extension management.

  4. In this dialog, click the tab Libraries and click Import.

  5. In Resource type, select Vault and then, CyberArk. Click Add and select the file JavaPasswordSDK.jar (note that this shows the content of the computer of your Administration Tool, not the content of the Virtual DataPort server).

  6. Click Ok and Ok again to upload this library.

  7. Restart Virtual DataPort.

  8. Log in again.

  9. On the menu Administration, click Server configuration and then, click the tab Credentials vault.

  10. In this tab, select Use external credentials vault and then, set Provider to CyberArk (agent mode).

  11. In Application Id, enter the application name with which you registered Denodo in CyberArk. For example, “denodo_production”.

  12. Click Ok to save the changes.

Enabling CyberArk Agent Mode

After doing this, you can configure your JDBC data sources with the option Obtain credentials from password vault.

Application configuration for Agent Mode

CyberArk can use next options for authenticating an application accessing through Agent Mode. These options are configured by Application Id at CyberArk side.

  • The HASH of the application.

    For obtaining the HASH value of Virtual DataPort use AIMGetAppInfo script. It is available at CyberArk SDK installation. For example:

    C:\Program Files (x86)\CyberArk\ApplicationPasswordProvider\Utils>AIMGetAppInfo.exe GetHash
      Application file full path [mandatory] ==> DENODO_HOME/lib/contrib/denodo-commons-vault.jar
      FC11BA736FC0AB66301B160F7FC37D496EBC3B6B
      Command ended successfully
    

    Returned value must be configured at CyberArk for restricting access by HASH.

    Note

    Application path for calculating the HASH must be DENODO_HOME/lib/contrib/denodo-commons-vault.jar

    Warning

    HASH value could change after installing a new Denodo update.

  • The PATH of the application.

    For restricting application access by PATH, configure next value at CyberArk:

    DENODO_HOME/lib/contrib/denodo-commons-vault.jar

CyberArk: AgentLess Mode

In the agentless mode, the data source will request the credentials to the service AIMWebService of CyberArk. This uses the Agentless Central Credential Provider (CCP) of CyberArk.

Enabling CyberArk AgentLess Mode

Follow these steps to enable this:

  1. Log in to the CyberArk Password Vault Web Access (PVWA) with a user account allowed to manage applications (it requires Manage Users authorization).

  2. In the Applications tab, click Add Application to define an Application ID (APPID) for the Denodo Platform.

    Refer to the documentation of CyberArk Password Vault Web Access (PVWA) to learn how to register an application in CyberArk.

  3. Open the Administration Tool and log in with an administrator user.

  4. On the menu Administration, click Server configuration and then, click the tab Credentials vault.

  5. In this tab, select Use external credentials vault and then, set Provider to CyberArk (agentless mode).

  6. In this form, enter this information:

  • Application Id: the identifier of the application at CyberArk Vault.

  • URL: URL of the AIMWebService of CyberArk. For example, https://cyberark-server.acme.com/AIMWebService/api/Accounts.

  • Client certificate (private key): click Browse to upload the file that contains the private key used for authenticating previous Application Id in the CyberArk Vault. It has to be a PFX or PKCS#12 file.

    • Password: the password of the Client certificate.

  • Certificate of Certification Authority (CA) (optional): click Browse to upload the file that contains the certificate used for validating the response from CyberArk Vault. It has to be a PFX or PKCS#12 file or a X509 certificate. You only need this if the vault uses a certificate that is not widely recognized.

    • Password (optional): the password of the Certificate of Certification Authority (CA). If you provide a X509 certificate, this password is ignored.

Click Ok to apply the changes. The changes are applied immediately, you do not need to restart.

Naming Convention for CyberArk Accounts

CyberArk Vault stores credentials information using objects named Accounts. These objects are located inside another entity named Safe. For identifying a unique CyberArk Account, Virtual DataPort needs to supply a Safe and an Account name.

In the configuration of the data sources, when you provide the value in the box Account name, you have to enter this with the format

<SafeName>\<AccountName>

For example, to use a CyberArk Account called “my-database-account” of the Safe “DenodoSafe”, enter this:

DenodoSafe\my-database-account

How Virtual DataPort Retrieves the Credentials from CyberArk

When you configure a JDBC data source to retrieve the credentials from CyberArk, this is what happens the first time the data source opens a connection to this database:

  1. The data source uses the Java API provided by CyberArk to communicate with the CyberArk agent that runs in the same computer as Virtual DataPort. It uses this API to request the credentials (user and password) of the CyberArk account you entered in the data source.

  2. The agent returns the credentials and the data source uses them to open the connection to the database.

  3. The data source holds these credentials in-memory, not in the hard drive, with the goal of speeding up the creation of further connections to this database.

The next time this data source opens a connection to this database, it will do this:

  1. The data source will try to open the connection using the credentials stored in memory. That is, the credentials it previously obtained from the CyberArk agent.

  2. If the connection fails, the data source will request the credentials to the agent and try to open the connection again.

  3. If the connection fails again, the data source will return an error to the user.

The steps #1 and #2 happen automatically without the intervention of the user.

This process is the same regardless of you use agent mode or agentLess mode. The only difference is in how the data source obtains the credentials from CyberArk.

Additional Considerations

  • By default, the JDBC data sources create a pool of connections to the database. When you configure a data source to request the credentials to CyberArk, the process of opening a new connection is the same regardless of if the pool is enabled or disabled.

  • If you enabled the option pass-through credentials in the data source, the data source will use the credentials of the end user to execute queries and will only use the credentials obtained from CyberArk, to introspect the database. That is, to list the tables and views of the database when you click Create base view.

  • If you restart Virtual DataPort or the data source is recreated (e.g., you change the configuration and click Save), the credentials stored in memory for this data source are removed from memory and will be requested to CyberArk.

  • You can also configure the data source to retrieve the credentials with the authentication option Use Kerberos. In this scenario, the data source will retrieve the credentials from the agent, and use these credentials to obtain a Kerberos ticket.