Central Credential Provider operations
This topic provides input and output XML elements, and sample XML requests and responses for the operation in the Central Credential Provider folder.
When you use a context item as an input for an adapter request, you must enclose the adapter request in the <request-data> elements. However, when you create a static request, <request-data> is not required and the adapter request starts with the <cyberark-adapter-request> element.
Get Password
The Get Password operation retrieves the password, in an encrypted format, from the CyberArk Central Credential Provider.
The Get Password operation is based on the agent less Application Access Manager (AAM) method, which ensures that the adapter can retrieve the passwords securely using an Application ID, and query parameters that match your requirement. With accurate authorization, the adapter uses API calls (REST or SOAP) to get password.
The agent less AAM method ensures that privileged credentials from the CyberArk vault are retrieved in a secured format. These credentials can be used to access service accounts, Web services, databases, and so on instead of storing the credentials within the application itself (either inside a configuration file or in a database).
The response contains the password in the Content key in the JSON body. Password retrieved from the API call is in a plain text, which the adapter converts to an encrypted format. This can be further used as a secure context item input in other workflows.
To view information about the adapter module for Central Credential Provider operation, see Get-Password-workflow.
Before you run the Get Password operation
- To run this operation, you must ensure that the Central Credential Provider component is installed and running in your environment.
- Passwords are sensitive data and BMC recommends that you secure and mask them in the Grid Log and Process Files on the peers where these adapters are enabled and where the Development Studio is installed. To mask password data, do these steps:
- Navigate to the AO_HOME/config directory and edit the log_config.xml file.
Locate the <log-config> section and add the <replacement-string> and mask pattern to replace secure data.
For replacement string, provide any valid replacement string regex. For masking pattern, provide any valid regex to represent the data pattern.<log-config>
<replacement-string>$1***MASKED***$2</replacement-string>
<patterns>
<mask-pattern><![CDATA[(\"Content\":\")[^&]*?\"(,\"|}</message-body>)]]></mask-pattern>
<mask-pattern><![CDATA[(\"password\":)[^&]*(})]]></mask-pattern>
</patterns>
</log-config>For more information, see Hiding the display of secure data in log files.
Get Password adapter request elements
The following table describes the input XML elements for the adapter request.
Input element | Description | Required |
|---|---|---|
<operation-name> | Specifies the name of the operation. Valid value: ccp-aim-get-password | Yes |
<app-id> | Specifies the unique ID of the application issuing the password request. Application ID identifies an application to the CyberArk Vault. It needs to be granted sufficient privileges to retrieve all the credentials it needs. You must grant the appropriate permissions when the application is deployed. The recommended format for the AppID is name <Partner Name>-<Product Name>. Example: BMC_TrueSightOrchestration | Yes |
<query> | Specifies the filters, in a property=value format, to retrieve passwords. To specify multiple query parameters, use a semi-colon. Different types of accounts have different sets of properties. The most common are username and address. You must ensure that your query returns only one account, else it results in an error. For this, you may use a number of properties in the query. You can also run a query based on the CyberArk primary key. Typically, the following properties can be used:
Valid format: Property=Value;Property=Value;Property=Value Example: Safe=Test;Folder=root\OS\Windows;Object=windows1;Address=components;Username=svc_account | Yes |
<private-key-file> | Specifies the file that contains the private key, in a PEM format, which is used to sign the HTTP request to invoke the Application Identity Manager (AIM) API to retrieve the credentials. For example, the Password Retrieval AIM API uses the application ID, which is configured with client certificate-based authentication. If specified in the adapter configuration, you can choose to not specify in the adapter request. | Conditional; required if you specify <certificate-key-file> |
<certificate-file> | Specifies the file containing the public key (X509 Certificate) that is used to sign the HTTP request to invoke AIM API to retrieve the credentials. If specified in the adapter configuration, you can choose to not specify in the adapter request. | Conditional; required if you specify <private-key-file> |
<keystore-file> | Specifies the path to the Java KeyStore file that contains the client certificate and private key to invoke the AIM API to retrieve the credentials. If you specify <keystore-file>, then the adapter request ignores the values specified for <private-key-file> and <certificate-file>. | No |
<keystore-password> | Specifies the password to the Java KeyStore file. | Conditional; required if <keystore-file> is specified. |
<key-password> | Specifies the password of the key contained in the Java KeyStore file. If key password is not specified, the value of the <keystore-password> is considered. | Conditional; required if <keystore-password> is not specified. |
The following figure shows a sample XML request to retrieve the password with AppID and Query.
<operation-name>ccp-aim-get-password</operation-name>
<app-id>BMC_TrueSightOrchestration</app-id>
<query>Address=10.0.1.20;Username=demotsotest1</query>
<private-key-file>C:\CyberArkCert\ClientCert\CyberArkkey.pem</private-key-file>
<certificate-file>C:\CyberArkCert\ClientCert\client.crt</certificate-file>
</cyberark-adapter-request>
The following figure shows another sample XML request to retrieve the password using AppID and query with KeyStore file (JKS format).
<operation-name>ccp-aim-get-password</operation-name>
<app-id>BMC_TrueSightOrchestration</app-id>
<query>Address=10.0.1.20;Username=demotsotest1</query>
<private-key-file></private-key-file>
<certificate-file></certificate-file>
<keystore-file>C:\Deepak\CyberArkClientKeystore.jks</keystore-file>
<keystore-password>JKSpassword</keystore-password>
<key-password>pkeypassword</key-password>
</cyberark-adapter-request>
The following figure shows the adapter response for the request if the password is retrieved successfully.
<metadata>
<status>success</status>
</metadata>
<status-line>
<code>200</code>
<reason>OK</reason>
</status-line>
<header-lines>
<Cache-Control>no-cache</Cache-Control>
<Pragma>no-cache</Pragma>
<Content-Type>application/json; charset=utf-8</Content-Type>
<Expires>-1</Expires>
<Server>Microsoft-IIS/8.5</Server>
<Date>Thu, 05 Dec 2019 05:53:26 GMT</Date>
<Content-Length>410</Content-Length>
</header-lines>
<message-body><![CDATA[{
"UserName": "cyberarktsouser1",
"Address": "10.30.40.55",
"ExtraPass1Safe": "SCIM Config",
"ExtraPass1Folder": "Root",
"ExtraPass1Name": "BMC-user-account",
"Safe": "TSOCyberArkSystemDemo",
"Folder": "Root",
"PasswordChangeInProcess": "False",
"Name": "Operating System-WinDesktopLocal-10.30.40.55-cyberarktsouser1",
"DeviceType": "Operating System",
"Content": "<EncryptedData xmlns=\"http://www.w3.org/2001/04/xmlenc#\" Type=\"http://www.w3.org/2001/04/xmlenc#Content\"><CipherData><CipherValue>klAzJfbHcea2TZL2k5FFtQ==</CipherValue></CipherData></EncryptedData>",
"CreationMethod": "PVWA",
"PolicyID": "WinDesktopLocal"
}]]></message-body>
</cyberark-adapter-response>
The following figure shows the adapter response for the request if the password is not retrieved.
<metadata>
<status>success</status>
</metadata>
<status-line>
<code>404</code>
<reason>Not Found</reason>
</status-line>
<header-lines>
<Cache-Control>no-cache</Cache-Control>
<Pragma>no-cache</Pragma>
<Content-Type>application/json; charset=utf-8</Content-Type>
<Expires>-1</Expires>
<Server>Microsoft-IIS/8.5</Server>
<Date>Thu, 31 Oct 2019 16:04:56 GMT</Date>
<Content-Length>349</Content-Length>
</header-lines>
<message-body>{"ErrorCode":"APPAP004E","ErrorMsg":"Password object matching query [Address=10.0.1.20;Username=InvalidUser] was not found (Diagnostic Info: 5). Please check that there is a password object that answers your query in the Vault and that both the Provider and the application user have the appropriate permissions needed in order to use the password."}</message-body>
</cyberark-adapter-response>
The following table describes the output elements for the operation.
Output element | Description |
|---|---|
<cyberark-adapter-response> | Contains the adapter response. |
<status-line> | Contains the HTTP response code and the reason. Example <status-line> <code>200</code> <reason>OK</reason> </status-line> |
<message-body> | Contains the response, in JSON. If the request is successful, (code is 200, reason is OK) the password is returned in the "Content" element in the message body. Example if the adapter request is successful { "UserName": "cyberarktsouser1", "Address": "10.30.40.55", "ExtraPass1Safe": "SCIM Config", "ExtraPass1Folder": "Root", "ExtraPass1Name": "BMC-user-account", "Safe": "TSOCyberArkSystemDemo", "Folder": "Root", "PasswordChangeInProcess": "False", "Name": "Operating System-WinDesktopLocal-10.30.40.55-cyberarktsouser1", "DeviceType": "Operating System", "Content": "<EncryptedData xmlns=\"http://www.w3.org/2001/04/xmlenc#\" Type=\"http://www.w3.org/2001/04/xmlenc#Content\"><CipherData><CipherValue>klAzJfbHcea2TZL2k5FFtQ==</CipherValue></CipherData></EncryptedData>", "CreationMethod": "PVWA", "PolicyID": "WinDesktopLocal" } Example if the adapter request fails { "ErrorCode": "APPAP004E", "ErrorMsg": "Password object matching query [Address=10.0.1.20;Username=InvaidUser] was not found (Diagnostic Info: 5). Please check that there is a password object that answers your query in the Vault and that both the Provider and the application user have the appropriate permissions needed in order to use the password." } |