Working with the Credential Configuration Template
The credentialConfigurationTemplate.xml is located in the WEB-INF\config directory of your IdentityIQ installation.
The template file includes sections for BeyondTrust, CyberArk, and a solution-neutral mapping option. If you are using a PAM solution other than BeyondTrust or CyberArk, you can use those sections of the template as a model for configuring another PAM solution.The file is fully commented to provide guidance as you insert your configuration settings.
Template General Guidelines
When working with templates, the best practice is to make a copy of this template to hold your specific configuration values, rather than modifying the original template file.
The template includes individual sections for BeyondTrust, CyberArk, and a solution-neutral mapping option. Remove the sections that you will not use before importing the template. For example, if you want to implement just a CyberArk solution, remove the template sections for BeyondTrust and the mapping option.
BeyondTrust Credential Configuration Template
Here are some key points to observe when you work with the BeyondTrust portion of the template.
Note that to enable credential cycling with the BeyondTrust PowerBroker Password Safe application, passwords must be configured in the JSON format. For example:
{"bt_user":"MyUserName","bt_password":"MyPasswordValue"}
In the Credential Source section, you configure
-
The URL to your BeyondTrust source
-
The "run as" user for authenticating to your source
-
An API key for authentication
-
Your BeyondTrust Managed System and Managed Account names. In the Credential Source section, you set values for your overall BeyondTrust implementation. If specific applications will use different or unique Managed Systems or Managed Accounts, you can set values for those that are specific to particular applications in the Credential Association section.
In the Credential Association section, you configure
-
The name(s) of your IdentityIQ applications that will use credential cycling
-
The attributes for your application's username, and the corresponding BeyondTrust username that provides the secure username credential to the application at runtime.
-
Any application-specific overrides to the overall BeyondTrust Managed System or Managed Account names
<CredentialSource credentialClass="sailpoint.pam.credential.BeyondTrustCredentialManager" name="beyondTrust ">
<!-- The attributes in this map are used mainly to communicate with BeyondTrust.
Any values here can be overridden by values of the same name in the attributes
map of each credential association. Required attributes must either be configured
here or in every credential source. Attributes:
Required: url
Required: runas
Required: apikey
Required: managedSystemName
Required: managedAccountName
Optional: durationMinutes
Optional: credentialCacheMinutes
Optional: checkInReason
Optional: checkOutReason
-->
<Attributes>
<Map>
<entry key="url">
<value><String>https://your.beyondtrust.server/BeyondTrust/api/public/v3/</String></value>
</entry>
<entry key="runas">
<value><String>runas_user</String></value>
</entry>
<entry key="apikey">
<value><String>your_beyondtrust_api_key_goes_here</String></value>
</entry>
<entry key="managedAccountName" value="beyond_trust_managed_account_name"/>
<entry key="managedSystemName" value="beyond_trust_managed_system_name"/>
</Map>
</Attributes>
<!-- ***Application Configuration -->
<CredentialAssociation applicationName="application_name"
attributeName="application_username_attribute"
credentialAttributeName="bt_user">
<!-- *** Attribute values go here. These attributes can be used to override values from
*** above, or can be left out if not needed -->
<Attributes>
<Map>
<entry key="managedAccountName" value="special_beyond_trust_managed_account_name"/>
</Map>
</Attributes>
</CredentialAssociation>
<CredentialAssociation applicationName="application_name"
attributeName="application_password_attribute"
credentialAttributeName="bt_password"/>
</CredentialSource>CyberArk Credential Configuration Template
CyberArk Vendor Prerequisites
CyberArk implementations require the installation of CyberArk’s Credential Provider API. The Credential Provider API enables passwords that are stored in CyberArk Digital Vaults to be retrieved by IdentityIQ. This API must be installed on the same server IdentityIQ is installed on.
Note that the Credential Provider API is not the same as CyberArk’s Central Credential Provider, which provides access to the Digital Vault via web services. For full details on how to obtain and use the Credential Provider API, refer to CyberArk’s documentation.
IdentityIQ uses the “Application Hash Value” method of authenticating to the API; other methods of authentication will not work. Verify connectivity to the CyberArk Digital Vault using the command line clipasswordsdk before attempting to construct the attributes of the Credential Cycling Configuration object.
How to generate a hash to add to the application if the SCIM server is not installed on the IdentityIQ server
For more information, refer to CyberArk’s Credential Provider and ASCP Implementation Guide.
First, ensure that you have extracted the pam-credential.jar file from the identityiq.war file.
If you have deployed IdentityIQ using the "exploded" form of the war file, you don't need to take any extra steps to extract the pam-credential.jar file; however, if you are not using this deployment strategy, you will have to extract the pam-credential.jar from the identityiq.war file, perform the steps below, then repackage the pam-credential.jar back into the identityiq.war file.
-
Run the CyberArk utility 'JavaAIMGetAppInfo' (under
\CyberArk\ApplicationPasswordProvider\Utils):
(Unix)java -jar javaaimgetappinfo.jar GetHash -AppExecutablesPattern=/{path to identityiq directory}/WEB-INF/lib/pam-credential.jar
(Windows)java -jar JavaAIMGetAppInfo.jar GetHash /AppExecutablesPattern=C:\{path to identityiq directory}\WEB-INF\lib\pam-credential.jar -
Copy the generated hash to the vault:
-
log in to the CyberArk Web Application
-
Applications > SailpointIIQ > Authentication > Add Hash
-
-
Wait approximately 3 minutes, to allow the ‘privileged session manager’ to read the new configuration, or restart the CyberArk Privileged Session Managers service for the configuration change to take place immediately.
Here are some key points to observe when you work with the CyberArk portion of the template.
In the Credential Source section, you configure
-
The name of your CyberArk safe - this information comes from CyberArk.
-
The folder where your secure credentials are stored. Use "root" here if you do not use folders.
-
An AppID, which is a unique identifier, used for authorization, which the CyberArk Credential Provider creates when it’s installed on a host
In the Credential Association section, you configure
-
The name(s) of your IdentityIQ applications that will use credential cycling
-
The attributes for your application's username, and the corresponding CyberArk username that provides the secure username credential to the application at runtime.
-
A CyberArk object, which is CyberArk's representation of a collection of attributes which store password and user name information
-
Any application-specific overrides to the overall CyberArk settings
<CredentialSource credentialClass="sailpoint.pam.credential.CyberArkCredentialManager" name="cyberark">
<!-- The attributes in this map are used mainly to communicate with CyberArk.
Any values here can be overriden by values of the same name in the attributes
map of each credential association. Required attributes must either be configured
here or in every credential source. Attributes:
Required: safe
Required: folder
Required: appId
Required: object
-->
<Attributes>
<Map>
<entry key="safe" value="cyber_ark_safe_name"/>
<entry key="folder" value="cyber_ark_folder_name"/>
<entry key="appId" value="cyber_ark_app_ID"/>
</Map>
</Attributes>
<!-- *** Application Configuration -->
<CredentialAssociation applicationName="application_name"
attributeName="application_username_attribute"
credentialAttributeName="CyberArk_username_attribute">
<!-- *** Attribute values go here. These attributes can be used to override values from
*** above, or can be left out if not needed -->
<Attributes>
<Map>
<entry key="object" value="object_value"/>
</Map>
</Attributes>
</CredentialAssociation>
</CredentialSource>Direct Attribute Mapping Credential Configuration Template
Use this template for solution-neutral direct attribute mapping.
In the Credential Source section, you configure your actual credential values, since you are not connecting to a third-party PAM source. It is a good practice to use encrypted passwords in this section.
The Credential Associations settings connect the values in the Credential Source section to your applications as shown in the template XML below.
<CredentialSource credentialClass="sailpoint.pam.credential.MapCredentialManager" name="mapCredManager">
<!-- The attributes in this map are the values that will be returned by the map credential manager.
It's probably a good idea to encrypt these so they are not stored in plain text if the values
are sensitive -->
<Attributes>
<Map>
<entry key="credentialValues">
<value>
<Map>
<entry key="map_username_attribute" value="john_doe_username"/>
<entry key="map_password_attribute" value="super_secret_password"/>
</Map>
</value>
</entry>
</Map>
</Attributes>
<!-- *** Application Configuration -->
<CredentialAssociation applicationName="application_name"
attributeName="application_username_attribute"
credentialAttributeName="map_username_attribute"/>
<CredentialAssociation applicationName="application_name"
attributeName="application_password_attribute"
credentialAttributeName="map_password_attribute"/>
</CredentialSource>