Cyberark Central Credential Provider

Cyberark Central Credential Provider (CCP) is an enterprise-grade credential vault that is provided by Cyberark. IBM SOAR applications can connect seamlessly to CCP and retrieve credentials from the vault to be used securely in any IBM® SOAR app.

Cyberark CCP setup

To allow the SOAR app client to authenticate to Cyberark CCP and interact with the SOAR Platform, create an application in CCP. The application must be configured to connect securely by using SSL and client authentication. For more information, see the Cyberark CCP documentation.

Generate a client-side certificate and use it to connect to CCP. You can define other constraints, such as domain restrictions, when you create the application.

The certificate must be a PKCS12 password-protected certificate with the public and private key that is combined into a single .p12 file. The binary contents of the certificate must be encoded in base64 so that the IBM SOAR app can safely transfer the file and decode it to connect to CCP.

You can encode a file by using other methods; for example, on MacOS, you can encode the file to base64 by typing the following command.

base64 -i <client.p12 input file path> -o client.p12.b64

Take note of the following information. You must provide it when you configure the IBM SOAR app to use CCP.

CCP application ID.
Password that is used to protect the PKCS12-encrypted certificate file.

Cyberark CCP configuration in the SOAR app

After the application is configured in CCP and the client certificate file is generated and encoded in base64, install the SOAR app on the SOAR Platform.

When you configure the app, use the following values to configure the connection to the vault.

Table 1. Cyberark CCP connection settings
Configuration parameter	Value
PAM_TYPE	Cyberark
PAM_ADDRESS	Specify the address where your Cyberark CCP server can be reached. If applicable, include the port.
PAM_APP_ID	Set this parameter to the value of the CCP application ID.
PAM_CERT_PATH	The path to the base64-encoded, password-protected file that contains the public and private key. Typically, this file is uploaded to the App Host through the SOAR app configuration page, and stored in the /etc/rescircuits directory. For example, the path might look like this: `/etc/rescircuits/client.p12.b64`.
PAM_CERT_PASSWORD	The password that is used to unencrypt the PKCS12-encrypted certificate file.
PAM_VERIFY_SERVER_CERT	This parameter is optional, depending on your CCP server configuration. If your configuration requires this parameter, the accepted values are `True`, `False`, or the path to a certificate chain that authenticates a self-signed certificate on a self-hosted server. The recommendation is to accept the default value of `True`. Important: Do not use this parameter in a production environment.

Referencing a CCP vault secret

The app.config file structure that you must follow for each secret that you want to reference is restrictive. The app fails if the proper structure is not used.

Each configuration that you want to pull from the vault must be prefixed with the caret (^) symbol.

Each secret that you want to pull from the vault requires the following values, which must be separated by a forward slash (/).

The safe name in CCP.
The object name in CCP.

The IBM SOAR app.config entry follows this format:

[SOAR_app_name]
<configuration_name>=^<CCP_safe_name>/<name_of_CCP_credential_object>

As an example, assume that you have a secret which has a credential object that is named TestObject and is stored in the TestSafe safe. You are installing the fn_my_app app and the configuration is called my_secret_config. In this example, the app.config file includes the following entry:

[fn_my_app]
my_secret_config=^TestSafe/TestObject

If the app calls secrets by using an SQL-type statement, you can use the following syntax to dynamically insert values that are retrieved from the vault within a configuration string.

[fn_my_app]
sql_query=FROM table SELECT ^{TestSafe/TestObject}

Testing the configuration

After both the vault and the app are configured, test the configuration to ensure that the vault connection works and that the app is configured correctly. To test the configuration, go to the app's Configuration page and click Test configuration.