Credential cycling for Privileged Access Management
Back to the IdentityIQ 7.3 overview: What's new in IdentityIQ 7.3
- Overview
- About credential cycling
- How credential cycling works in IdentityIQ
- Working with the credential configuration template
- Template general guidelines
- BeyondTrust
- CyberArk
- CyberArk vendor prerequisites
- How to generate a hash to add to the application if the SCIM server is not installed on the Identity...
- Working with the CyberArk template
- Direct attribute mapping
- Credential cycling in an application
- Additional information
Overview
IdentityIQ version 7.3 continues to build out a robust Privileged Access Management (PAM) solution, by adding credential cycling to IdentityIQ's support for PAM.
The Identity University eLearning course on IdentityIQ 7.3 New Features includes a detailed lesson on enabling credential cycling. The course is available in early September 2018.
Important: For the most up-to-date information about configuring and using the PAM module, refer to the IdentityIQ product documentation on PAM.
About credential cycling
At a high level, credential cycling is a feature that allows applications which require credentials (such as username and password) to obtain that information directly from a PAM source, such as a CyberArk or Beyond Trust solution. Previously, these credentials had to be set up in the application definition manually, and if any information changed in the PAM solution, those changes had to be made manually in IdentityIQ by an administrator. With IdentityIQ 7.3, the credential cycling feature lets credentials be pulled directly from the PAM vault at runtime, with no manual intervention (other than initial configuration) by the IdentityIQ administrator, adding both security and convenience.
How credential cycling works in IdentityIQ
With version 7.3, you can manage credentials solely within your PAM solution. Essentially, an administrator defines which applications will use credential cycling, which PAM solution provides those credentials, and how each of the applications will contact the PAM vault to retrieve the credentials. This is done via a configuration file that is imported into IdentityIQ as an object.
Here is a brief summary of how credential cycling is configured in IdentityIQ. A more detailed look at the template and the configuration options is provided in a later section.
- Your applications should already be set up in IdentityIQ (Applications > Application Definition)
- In some cases the discovery options in an application can be disabled when credential cycling is enabled, so perform any necessary discovery operations before enabling credential cycling for the application.
- A template file is provided in your IdentityIQ installation, which you use as a model for setting up your own configuration. The template file is
[IdentityIQ installation directory]\WEB-INF\config\credentialConfigurationTemplate.xml
- You edit this file to define your PAM source values. The template includes models for BeyondTrust and CyberArk, as well as a solution-neutral direct attribute mapping option.
- You also include information in the file about which of your applications in IdentityIQ will use credential cycling, and how the PAM-provided values map to your application fields for authentication.
- You import the edited XML file into IdentityIQ (using gear > Global Configuration > Import File)
- Importing the file creates a new object in IdentityIQ: Credential Configuration
- If you need to update your credential cycling configuration, you can modify and re-import the credential configuration XML. You can also edit the Credential Configuration object directly in the Debug pages.
Working with the credential configuration template
The credentialConfigurationTemplate.xml is located in the WEB-INF\config directory of your IdentityIQ installation.
The template file includes sections for BeyondTrust, CyberArk, and a solution-neutral direct attribute mapping option. If you are using a PAM solution other than BeyondTrust or CyberArk, you can use those sections of the template as a model for configuring another PAM solution.The file is fully commented, to provide guidance as you insert your configuration settings.
Template general guidelines
- Remove the sections that you will not use before importing the template. For example, if you want to implement just a CyberArk solution, remove the template sections for BeyondTrust and the direct mapping option.
- Each solution option has a section for mapping Credential Source details, which manage the connection to your PAM solution, and a Credential Association section, which handles the association of the secure credentials in your PAM solution to your applications in IdentityIQ.
- As always when working with templates, the best practice is to make a copy of this template to hold your specific configuration values, rather than modifying the original template file.
BeyondTrust
Here are some key points to observe when you work with the BeyondTrust portion of the template:
Note that to enable credential cycling with the BeyondTrust PowerBroker Password Safe application, passwords must be configured in the JSON format. For example:
{"bt_user":"MyUserName","bt_password":"MyPasswordValue"}
In the Credential Source section, you configure
- The URL to your BeyondTrust source
- The "run as" user for authenticating to your source
- An API key for authentication
- Your BeyondTrust Managed System and Managed Account names. In the Credential Source section, you set overall values for your overall BeyondTrust implementation. If specific applications will use different or unique Managed Systems or Managed Accounts, you can set values for those that are specific to particular applications in the Credential Association section.
In the Credential Association section, you configure
- The name(s) of your IdentityIQ applications that will use credential cycling
- The attributes for your application's username, and the corresponding BeyondTrust username that provides the secure username credential to the application at runtime.
- Any application-specific overrides to the overall BeyondTrust Managed System or Managed Account names
<CredentialSource credentialClass="sailpoint.pam.credential.BeyondTrustCredentialManager" name="beyondTrust ">
<!-- The attributes in this map are used mainly to communicate with BeyondTrust.
Any values here can be overridden by values of the same name in the attributes
map of each credential association. Required attributes must either be configured
here or in every credential source. Attributes:
Required: url
Required: runas
Required: apikey
Required: managedSystemName
Required: managedAccountName
Optional: durationMinutes
Optional: credentialCacheMinutes
Optional: checkInReason
Optional: checkOutReason
-->
<Attributes>
<Map>
<entry key="url">
<value><String>https://your.beyondtrust.server/BeyondTrust/api/public/v3/</String></value>
</entry>
<entry key="runas">
<value><String>runas_user</String></value>
</entry>
<entry key="apikey">
<value><String>your_BeyondTrust_api_key_goes_here</String></value>
</entry>
<entry key="managedAccountName" value="beyond_trust_managed_account_name"/>
<entry key="managedSystemName" value="beyond_trust_managed_system_name"/>
</Map>
</Attributes>
<!-- ***Application Configuration -->
<CredentialAssociation applicationName="application_name"
attributeName="application_username_attribute"
credentialAttributeName="bt_user">
<!-- *** Attribute values go here. These attributes can be used to override values from
*** above, or can be left out if not needed -->
<Attributes>
<Map>
<entry key="managedAccountName" value="special_beyond_trust_managed_account_name"/>
</Map>
</Attributes>
</CredentialAssociation>
<CredentialAssociation applicationName="application_name"
attributeName="application_password_attribute"
credentialAttributeName="bt_password"/>
</CredentialSource>
CyberArk
CyberArk vendor prerequisites
CyberArk implementations require the installation of CyberArk’s Credential Provider API. The Credential Provider API enables passwords that are stored in CyberArk Digital Vaults to be retrieved by IdentityIQ. This API must be installed on the same server IdentityIQ is installed on.
Note that the Credential Provider API is NOT the same as CyberArk’s Central Credential Provider, which provides access to the Digital Vault via web services. For full details on how to obtain and use the Credential Provider API, please refer to CyberArk’s documentation.
IdentityIQ uses the “Application Hash Value” method of authenticating to the API; other methods of authentication will not work. Verify connectivity to the CyberArk Digital Vault using the command line clipasswordsdk before attempting to construct the attributes of the Credential Cycling Configuration object.
- Note: For CyberArk integrations, IdentityIQ version 8.3 and later requires version 9.8 of the CyberArk components. CyberArk customers should confirm the appropriate version of the library for their version of CyberArk, and obtain it from the vendor if necessary.
How to generate a hash to add to the application if the SCIM server is not installed on the IdentityIQ server:
Note: For more information, refer to CyberArk’s Credential Provider and ASCP Implementation Guide.
First, ensure that you have extracted the pam-credential.jar file from the identityiq.war. If you have deployed IdentityIQ using the "exploded" form of the war file, you don't need to take any extra steps to extract the pam-credential.jar file; however, if you are not using this deployment strategy, you will have to extract the pam-credential.jar from the identityiq.war file, perform the steps below, then repackage the pam-credential.jar back into the identityiq.war file.
- Run the CyberArk utility 'JavaAIMGetAppInfo' (under \CyberArk\ApplicationPasswordProvider\Utils):
(Unix) java -jar javaaimgetappinfo.jar GetHash -AppExecutablesPattern=/{path to identityiq directory}/WEB-INF/lib/pam-credential.jar
(Windows) java -jar JavaAIMGetAppInfo.jar GetHash /AppExecutablesPattern=C:\{path to identityiq directory}\WEB-INF\lib\pam-credential.jar - Copy the generated hash to the vault:
- log in to the CyberArk Web Application
- Applications > SailpointIIQ > Authentication > Add Hash
- Wait approximately 3 minutes, to allow the ‘privileged session manager’ to read the new configuration, or restart the CyberArk Privileged Session Managers service for the configuration change to take place immediately.
Working with the CyberArk template
Here are some key points to observe when you work with the CyberArk portion of the template.
In the Credential Source section, you configure
- The name of your CyberArk safe - this information comes from CyberArk.
- The folder where your secure credentials are stored. Use "root" here if you do not use folders.
- An AppID, which is a unique identifier, used for authorization, which the CyberArk Credential Provider creates when it’s installed on a host
In the Credential Association section, you configure
- The name(s) of your IdentityIQ applications that will use credential cycling
- The attributes for your application's username, and the corresponding CyberArk username that provides the secure username credential to the application at runtime.
- A CyberArk object, which is CyberArk's representation of a collection of attributes which store password and user name information
- Any application-specific overrides to the overall CyberArk settings
<CredentialSource credentialClass="sailpoint.pam.credential.CyberArkCredentialManager" name="cyberark">
<!-- The attributes in this map are used mainly to communicate with CyberArk.
Any values here can be overriden by values of the same name in the attributes
map of each credential association. Required attributes must either be configured
here or in every credential source. Attributes:
Required: safe
Required: folder
Required: appId
Required: object
-->
<Attributes>
<Map>
<entry key="safe" value="cyber_ark_safe_name"/>
<entry key="folder" value="cyber_ark_folder_name"/>
<entry key="appId" value="cyber_ark_app_ID"/>
</Map>
</Attributes>
<!-- *** Application Configuration -->
<CredentialAssociation applicationName="application_name"
attributeName="application_username_attribute"
credentialAttributeName="CyberArk_username_attribute">
<!-- *** Attribute values go here. These attributes can be used to override values from
*** above, or can be left out if not needed -->
<Attributes>
<Map>
<entry key="object" value="object_value"/>
</Map>
</Attributes>
</CredentialAssociation>
</CredentialSource>
Direct attribute mapping
Here are some key points to observe when you work with the mapping portion of the template:
In the Credential Source section, you configure your actual credential values, since you are not connecting to a third-party PAM source. It is a good practice to use encrypted passwords in this section.
The Credential Associations settings connect the values in the Credential Source section to your applications as shown in the template XML below.
<CredentialSource credentialClass="sailpoint.pam.credential.MapCredentialManager" name="mapCredManager">
<!-- The attributes in this map are the values that will be returned by the map credential manager.
It's probably a good idea to encrypt these so they are not stored in plain text if the values
are sensitive -->
<Attributes>
<Map>
<entry key="credentialValues">
<value>
<Map>
<entry key="map_username_attribute" value="john_doe_username"/>
<entry key="map_password_attribute" value="super_secret_password"/>
</Map>
</value>
</entry>
</Map>
</Attributes>
<!-- *** Application Configuration -->
<CredentialAssociation applicationName="application_name"
attributeName="application_username_attribute"
credentialAttributeName="map_username_attribute"/>
<CredentialAssociation applicationName="application_name"
attributeName="application_password_attribute"
credentialAttributeName="map_password_attribute"/>
</CredentialSource>
Credential cycling in an application
When credential cycling is configured for an application, the Application Definition UI shows a message to indicate this. Although the relevant credential fields (in this example, Connection User and Connection Password) are still marked as requiring values, these fields are not validated when credential cycling is enabled, and so can be left blank, or can include dummy values.
Additional information
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
There's an undocumented syntax used to replace Active Directory Application attributes when using Credential Cycling. The feature uses SailPoint's MapUtil API. Here's a configuration that works.
<CredentialSource credentialClass="sailpoint.pam.credential.CyberArkCredentialManager" name="cyberark">
<Attributes>
<Map>
<entry key="appId" value="CyberArk"/>
<entry key="folder" value="root"/>
<entry key="object" value="ActiveDirectory"/>
<entry key="safe" value="MicrosoftSafe"/>
</Map>
</Attributes>
<CredentialAssociation applicationName="ActiveDirectory" attributeName="domainSettings[domainNetBiosName=DOMAINNAME].password" credentialAttributeName="password"/>
</CredentialSource>
The interesting part is the attributeName of the CredentialAssociation. Here we are saying to put the password credential attribute value from CyberArk into the domainSettings key that contains a list where one of the list entries matches the DOMAINNAME value putting a new key 'password' into the list entry.
Here's another example where we have to double backslash the domain username when referencing the user entry.
<CredentialAssociation applicationName="AD" attributeName="domainSettings[user='connectivity\\appadmin']. password" credentialAttributeName="password"/>
I hope this helps clear confusion based on feedback from a number of our customers,
Chris
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
A Helpful from one of our customers. Below is a final working file format/syntax to share with the community
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ </CredentialAssociation> <CredentialAssociation applicationName="Active Directory" attributeName="domainSettings[user="devcorp\\svcSailPointiIQ"].password" credentialAttributeName="password"> <Attributes> <Map> <entry key="object" value="devcorp~svcSailPointiIQ"/> </Map> </Attributes> </CredentialAssociation> <CredentialAssociation applicationName="Active Directory" attributeName="forestSettings[user="devcorp\\svcSailPointiIQ"].password" credentialAttributeName="password"> <Attributes> <Map> <entry key="object" value="devcorp~svcSailPointiIQ"/> </Map> </Attributes> </CredentialAssociation> <CredentialAssociation applicationName="Active Directory" attributeName="exchangeSettings[user="devcorp\\svcSailPointiIQ"]..password" credentialAttributeName="password"> <Attributes> <Map> <entry key="object" value="devcorp~svcSailPointiIQ"/> </Map> </Attributes> </CredentialAssociation> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | HTML Email |
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
jeri.smith chris.annino cathy.mallet
Can someone help understand how the property attributeName in the credential association field should be interpreted, I get the idea of credentialAttributeName property will always be "password" value from CyberArk. E.g. JDBC apps where user and password are stored in CyberArk as password object, I need to map them in the CredentialMapping file, how should the CredentialAssociation should like?
<CredentialAssociation applicationName="Oracle ERP" attributeName="user" credentialAttributeName="password">
<Attributes>
<Map>
<entry key="object" value="object_value"/>
</Map>
</Attributes>
</CredentialAssociation>
<CredentialAssociation applicationName="Oracle ERP" attributeName="password" credentialAttributeName="password">
<Attributes>
<Map>
<entry key="object" value="object_value"/>
</Map>
</Attributes>
</CredentialAssociation>
Also what is the significance of Attributes Map, what should be object and object_value?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
@suresh1_munuswamy in Object mapping you need to use the following entry key.
<entry key="Object" value="<Name value from the cyberark account>">
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
Hey Experts, Did any one know if Credential cycling can be integrated with Chamber of Secret?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
Hello @chris_annino and @jeri_navin. Thanks for the above documentation which was really helpful.
Did anyone know, how to write a format/syntax in CredentialConfiguration.xml for AD with multi domain settings.
Can someone help me with this.
Thanks,
Sharath
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
CyberArk Credential configuration mapping for a test application configured in SailPoint that uses basic auth.
Credential Configuration:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<sailpoint>
<Configuration name="CredentialConfiguration">
<Attributes>
<Map>
<entry key="sources">
<value>
<List>
<CredentialSource credentialClass="sailpoint.pam.credential.CyberArkCredentialManager" name="cyberark">
<Attributes>
<Map>
<entry key="safe" value="SAFE-ID"/>
<entry key="folder" value="Root"/>
<!-- AppId used in CyberArk where Hash is added -->
<entry key="appId" value="SailpointIIQ"/>
</Map>
</Attributes>
<!-- applicationName should match the SailPoint application -->
<!-- attributeName should match the attribute which holds the username. Use /debug to look for the application and find the attribute -->
<!-- credentialAttributeName should match the CyberArk response. Refer the sample CyberArk response in the comment -->
<CredentialAssociation applicationName="Test-Application" attributeName="user" credentialAttributeName="PassProps.UserName">
<Attributes>
<Map>
<!-- In CyberArk, use the name value under Account Details. Refer one of the previous comment which has screenshot -->
<entry key="object" value="Name value from the cyberark account"/>
</Map>
</Attributes>
</CredentialAssociation>
<CredentialAssociation applicationName="Test-Application" attributeName="password" credentialAttributeName="Password">
<Attributes>
<Map>
<entry key="object" value="Name value from the cyberark account"/>
</Map>
</Attributes>
</CredentialAssociation>
</CredentialSource>
</List>
</value>
</entry>
</Map>
</Attributes>
</Configuration>
</sailpoint>
Sample CyberArk Response:
<Elements>
<Element>
<ElementType>PasswordResponse</ElementType>
<ResponseBase>
<ResponseId>1</ResponseId>
<PasswordResponse>
<Password>*****</Password>
<Flags>0</Flags>
<AlterPassword>*****</AlterPassword>
<PassProps>
<AccountDescription>Sailpoint test account for credential Cycling</AccountDescription>
.
.
<UserName>xyz-username</UserName>
.
.
<Environment>Non-Prod</Environment>
</PassProps>
<PasswordChangeInProcess>false</PasswordChangeInProcess>
</PasswordResponse>
</ResponseBase>
</Element>
</Elements>
Hope it is helpful
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
Does the credential cycling require PAM License from SailPoint Vendor or it can be configured without license.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
@PrashRai Were you able to get an answer to your question regarding Credential Cycling and the need for a PAM License?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
@PrashRai Yes you need a PAM license from Sailpoint to use credential cycling...