Get Password workflow

The Get Password workflow retrieves the password, in an encrypted format, from the CyberArk Central Credential Provider. 

The Get Password workflow is based on the agent less Application Access Manager (AAM) method, which ensures that the adapter can retrieve the passwords securely using an Application ID, and query parameters that match your requirement. With accurate authorization, the adapter uses API calls (REST or SOAP) to get password. 

The agent less AAM method ensures that privileged credentials from the CyberArk vault are retrieved in a secured format. These credentials can be used to access service accounts, Web services, databases, and so on instead of storing the credentials within the application itself (either inside a configuration file or in a database). 

The process directory for this workflow is BMC-AD-CyberArk:Central_Credential_Provider and the process name is Get Password.

To view information about the adapter request for this workflow, see Central-Credential-Provider-operations

Before you run the Get Password workflow

  • To run this workflow, you must ensure that the Central Credential Provider component and Central Credential Provider AIM Web Service is installed and available in your environment. 
  • Passwords are sensitive data and BMC recommends that you secure and mask them in the Grid Log and Process Files on the peers where these adapters are enabled and where the Development Studio is installed. To mask password data, do these steps:
    1. Navigate to the AO_HOME/config directory and edit the log_config.xml file.

    2. Locate the <log-config> section and add the <replacement-string> and mask pattern to replace secure data.
      For replacement string, provide any valid replacement string regex. For masking pattern, provide any valid regex to represent the data pattern.

      <log-config>
        <replacement-string>$1***MASKED***$2</replacement-string>
        <patterns>
          <mask-pattern><![CDATA[(\"Content\":\")[^&]*?\"(,\"|}</message-body>)]]></mask-pattern>
          <mask-pattern><![CDATA[(\"password\":)[^&]*(})]]></mask-pattern>
        </patterns>
      </log-config>

      For more information, see Hiding the display of secure data in log files.

Adapter wrapper process input

The following table describes the input elements for the adapter wrapper. 

Input element

Description

Required

adapter name

Specifies the name of the adapter to execute the request.

Default name: CyberArkActorAdapter

No

application id

Specifies the unique ID of the application issuing the password request.

Yes

query

Specifies the filters, in a property=value format, to retrieve passwords.

To specify multiple query parameters, use a semi-colon.

Different types of accounts have different sets of properties. The most common are username and address. You must ensure that your query returns only one account, else it results in an error. For this, you may use a number of properties in the query.

You can also run a query based on the CyberArk primary key.

Typically, the following properties can be used:

  • Safe: Specifies the safe name where the account exists.
  • Folder: Specifies the folder inside a safe.
  • Object: Specifies the object name of the account. This is the Name field in the Account properties.
  • Username: Specifies the username for which you want to retrieve the password.
  • Address: Specifies the address

Valid format: Property=Value;Property=Value;Property=Value

Example:

Safe=Test;Folder=root\OS\Windows;Object=windows1;Address=components;Username=svc_account

Yes

keystore file

Specifies the path to the Java KeyStore file that contains the client certificate and private key to invoke AIM API to retrieve the credentials.

No

keystore password

Specifies the password to the Java KeyStore file.

Conditional; required if you specify the KeyStore file.

key password

Specifies the password of the key contained in the Java KeyStore file.

Conditional; required if you specify the KeyStore file.

private key file

Specifies the file containing the private key that is used to sign the HTTP request to invoke Application Identity Manager (AIM) API to retrieve the credentials.

No

certificate file

Specifies the file containing the public key (X509 Certificate) that is used to sign the HTTP request to invoke AIM API to retrieve the credentials.

No

Adapter wrapper process output

The following table describes the output elements for the adapter wrapper. 

Output element

Description

password

Specifies the password, in an encrypted format.

response body

Shows the actual response JSON body returned by Get Password API.

status

Represents whether the request executed successfully on server.

status code

Represents the response code.

response headers

Represents the response header values.

error message

Shows an error message in case of workflow fails.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*