Back to the IdentityIQ 7.3 overview: What's new in IdentityIQ 7.3
IdentityIQ version 7.3 continues to build out a robust Privileged Access Management (PAM) solution, by adding credential cycling to IdentityIQ's support for PAM.
The Identity University eLearning course on IdentityIQ 7.3 New Features includes a detailed lesson on enabling credential cycling. The course is available in early September 2018.
Important: For the most up-to-date information about configuring and using the PAM module, refer to the IdentityIQ product documentation on PAM.
At a high level, credential cycling is a feature that allows applications which require credentials (such as username and password) to obtain that information directly from a PAM source, such as a CyberArk or Beyond Trust solution. Previously, these credentials had to be set up in the application definition manually, and if any information changed in the PAM solution, those changes had to be made manually in IdentityIQ by an administrator. With IdentityIQ 7.3, the credential cycling feature lets credentials be pulled directly from the PAM vault at runtime, with no manual intervention (other than initial configuration) by the IdentityIQ administrator, adding both security and convenience.
With version 7.3, you can manage credentials solely within your PAM solution. Essentially, an administrator defines which applications will use credential cycling, which PAM solution provides those credentials, and how each of the applications will contact the PAM vault to retrieve the credentials. This is done via a configuration file that is imported into IdentityIQ as an object.
Here is a brief summary of how credential cycling is configured in IdentityIQ. A more detailed look at the template and the configuration options is provided in a later section.
[IdentityIQ installation directory]\WEB-INF\config\credentialConfigurationTemplate.xml
The credentialConfigurationTemplate.xml is located in the WEB-INF\config directory of your IdentityIQ installation.
The template file includes sections for BeyondTrust, CyberArk, and a solution-neutral direct attribute mapping option. If you are using a PAM solution other than BeyondTrust or CyberArk, you can use those sections of the template as a model for configuring another PAM solution.The file is fully commented, to provide guidance as you insert your configuration settings.
Here are some key points to observe when you work with the BeyondTrust portion of the template:
Note that to enable credential cycling with the BeyondTrust PowerBroker Password Safe application, passwords must be configured in the JSON format. For example:
{"bt_user":"MyUserName","bt_password":"MyPasswordValue"}
In the Credential Source section, you configure
In the Credential Association section, you configure
<CredentialSource credentialClass="sailpoint.pam.credential.BeyondTrustCredentialManager" name="beyondTrust ">
<!-- The attributes in this map are used mainly to communicate with BeyondTrust.
Any values here can be overridden by values of the same name in the attributes
map of each credential association. Required attributes must either be configured
here or in every credential source. Attributes:
Required: url
Required: runas
Required: apikey
Required: managedSystemName
Required: managedAccountName
Optional: durationMinutes
Optional: credentialCacheMinutes
Optional: checkInReason
Optional: checkOutReason
-->
<Attributes>
<Map>
<entry key="url">
<value><String>https://your.beyondtrust.server/BeyondTrust/api/public/v3/</String></value>
</entry>
<entry key="runas">
<value><String>runas_user</String></value>
</entry>
<entry key="apikey">
<value><String>your_BeyondTrust_api_key_goes_here</String></value>
</entry>
<entry key="managedAccountName" value="beyond_trust_managed_account_name"/>
<entry key="managedSystemName" value="beyond_trust_managed_system_name"/>
</Map>
</Attributes>
<!-- ***Application Configuration -->
<CredentialAssociation applicationName="application_name"
attributeName="application_username_attribute"
credentialAttributeName="bt_user">
<!-- *** Attribute values go here. These attributes can be used to override values from
*** above, or can be left out if not needed -->
<Attributes>
<Map>
<entry key="managedAccountName" value="special_beyond_trust_managed_account_name"/>
</Map>
</Attributes>
</CredentialAssociation>
<CredentialAssociation applicationName="application_name"
attributeName="application_password_attribute"
credentialAttributeName="bt_password"/>
</CredentialSource>
CyberArk implementations require the installation of CyberArk’s Credential Provider API. The Credential Provider API enables passwords that are stored in CyberArk Digital Vaults to be retrieved by IdentityIQ. This API must be installed on the same server IdentityIQ is installed on.
Note that the Credential Provider API is NOT the same as CyberArk’s Central Credential Provider, which provides access to the Digital Vault via web services. For full details on how to obtain and use the Credential Provider API, please refer to CyberArk’s documentation.
IdentityIQ uses the “Application Hash Value” method of authenticating to the API; other methods of authentication will not work. Verify connectivity to the CyberArk Digital Vault using the command line clipasswordsdk before attempting to construct the attributes of the Credential Cycling Configuration object.
Note: For more information, refer to CyberArk’s Credential Provider and ASCP Implementation Guide.
First, ensure that you have extracted the pam-credential.jar file from the identityiq.war. If you have deployed IdentityIQ using the "exploded" form of the war file, you don't need to take any extra steps to extract the pam-credential.jar file; however, if you are not using this deployment strategy, you will have to extract the pam-credential.jar from the identityiq.war file, perform the steps below, then repackage the pam-credential.jar back into the identityiq.war file.
Here are some key points to observe when you work with the CyberArk portion of the template.
In the Credential Source section, you configure
In the Credential Association section, you configure
<CredentialSource credentialClass="sailpoint.pam.credential.CyberArkCredentialManager" name="cyberark">
<!-- The attributes in this map are used mainly to communicate with CyberArk.
Any values here can be overriden by values of the same name in the attributes
map of each credential association. Required attributes must either be configured
here or in every credential source. Attributes:
Required: safe
Required: folder
Required: appId
Required: object
-->
<Attributes>
<Map>
<entry key="safe" value="cyber_ark_safe_name"/>
<entry key="folder" value="cyber_ark_folder_name"/>
<entry key="appId" value="cyber_ark_app_ID"/>
</Map>
</Attributes>
<!-- *** Application Configuration -->
<CredentialAssociation applicationName="application_name"
attributeName="application_username_attribute"
credentialAttributeName="CyberArk_username_attribute">
<!-- *** Attribute values go here. These attributes can be used to override values from
*** above, or can be left out if not needed -->
<Attributes>
<Map>
<entry key="object" value="object_value"/>
</Map>
</Attributes>
</CredentialAssociation>
</CredentialSource>
Here are some key points to observe when you work with the mapping portion of the template:
In the Credential Source section, you configure your actual credential values, since you are not connecting to a third-party PAM source. It is a good practice to use encrypted passwords in this section.
The Credential Associations settings connect the values in the Credential Source section to your applications as shown in the template XML below.
<CredentialSource credentialClass="sailpoint.pam.credential.MapCredentialManager" name="mapCredManager">
<!-- The attributes in this map are the values that will be returned by the map credential manager.
It's probably a good idea to encrypt these so they are not stored in plain text if the values
are sensitive -->
<Attributes>
<Map>
<entry key="credentialValues">
<value>
<Map>
<entry key="map_username_attribute" value="john_doe_username"/>
<entry key="map_password_attribute" value="super_secret_password"/>
</Map>
</value>
</entry>
</Map>
</Attributes>
<!-- *** Application Configuration -->
<CredentialAssociation applicationName="application_name"
attributeName="application_username_attribute"
credentialAttributeName="map_username_attribute"/>
<CredentialAssociation applicationName="application_name"
attributeName="application_password_attribute"
credentialAttributeName="map_password_attribute"/>
</CredentialSource>
When credential cycling is configured for an application, the Application Definition UI shows a message to indicate this. Although the relevant credential fields (in this example, Connection User and Connection Password) are still marked as requiring values, these fields are not validated when credential cycling is enabled, and so can be left blank, or can include dummy values.
There's an undocumented syntax used to replace Active Directory Application attributes when using Credential Cycling. The feature uses SailPoint's MapUtil API. Here's a configuration that works.
<CredentialSource credentialClass="sailpoint.pam.credential.CyberArkCredentialManager" name="cyberark">
<Attributes>
<Map>
<entry key="appId" value="CyberArk"/>
<entry key="folder" value="root"/>
<entry key="object" value="ActiveDirectory"/>
<entry key="safe" value="MicrosoftSafe"/>
</Map>
</Attributes>
<CredentialAssociation applicationName="ActiveDirectory" attributeName="domainSettings[domainNetBiosName=DOMAINNAME].password" credentialAttributeName="password"/>
</CredentialSource>
The interesting part is the attributeName of the CredentialAssociation. Here we are saying to put the password credential attribute value from CyberArk into the domainSettings key that contains a list where one of the list entries matches the DOMAINNAME value putting a new key 'password' into the list entry.
Here's another example where we have to double backslash the domain username when referencing the user entry.
<CredentialAssociation applicationName="AD" attributeName="domainSettings[user='connectivity\\appadmin']. password" credentialAttributeName="password"/>
I hope this helps clear confusion based on feedback from a number of our customers,
Chris
A Helpful from one of our customers. Below is a final working file format/syntax to share with the community
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ </CredentialAssociation> <CredentialAssociation applicationName="Active Directory" attributeName="domainSettings[user="devcorp\\svcSailPointiIQ"].password" credentialAttributeName="password"> <Attributes> <Map> <entry key="object" value="devcorp~svcSailPointiIQ"/> </Map> </Attributes> </CredentialAssociation> <CredentialAssociation applicationName="Active Directory" attributeName="forestSettings[user="devcorp\\svcSailPointiIQ"].password" credentialAttributeName="password"> <Attributes> <Map> <entry key="object" value="devcorp~svcSailPointiIQ"/> </Map> </Attributes> </CredentialAssociation> <CredentialAssociation applicationName="Active Directory" attributeName="exchangeSettings[user="devcorp\\svcSailPointiIQ"]..password" credentialAttributeName="password"> <Attributes> <Map> <entry key="object" value="devcorp~svcSailPointiIQ"/> </Map> </Attributes> </CredentialAssociation> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | HTML Email |
jeri.smith chris.annino cathy.mallet
Can someone help understand how the property attributeName in the credential association field should be interpreted, I get the idea of credentialAttributeName property will always be "password" value from CyberArk. E.g. JDBC apps where user and password are stored in CyberArk as password object, I need to map them in the CredentialMapping file, how should the CredentialAssociation should like?
<CredentialAssociation applicationName="Oracle ERP" attributeName="user" credentialAttributeName="password">
<Attributes>
<Map>
<entry key="object" value="object_value"/>
</Map>
</Attributes>
</CredentialAssociation>
<CredentialAssociation applicationName="Oracle ERP" attributeName="password" credentialAttributeName="password">
<Attributes>
<Map>
<entry key="object" value="object_value"/>
</Map>
</Attributes>
</CredentialAssociation>
Also what is the significance of Attributes Map, what should be object and object_value?
@suresh1_munuswamy in Object mapping you need to use the following entry key.
<entry key="Object" value="<Name value from the cyberark account>">
Hey Experts, Did any one know if Credential cycling can be integrated with Chamber of Secret?
Hello @chris_annino and @jeri_navin. Thanks for the above documentation which was really helpful.
Did anyone know, how to write a format/syntax in CredentialConfiguration.xml for AD with multi domain settings.
Can someone help me with this.
Thanks,
Sharath
CyberArk Credential configuration mapping for a test application configured in SailPoint that uses basic auth.
Credential Configuration:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<sailpoint>
<Configuration name="CredentialConfiguration">
<Attributes>
<Map>
<entry key="sources">
<value>
<List>
<CredentialSource credentialClass="sailpoint.pam.credential.CyberArkCredentialManager" name="cyberark">
<Attributes>
<Map>
<entry key="safe" value="SAFE-ID"/>
<entry key="folder" value="Root"/>
<!-- AppId used in CyberArk where Hash is added -->
<entry key="appId" value="SailpointIIQ"/>
</Map>
</Attributes>
<!-- applicationName should match the SailPoint application -->
<!-- attributeName should match the attribute which holds the username. Use /debug to look for the application and find the attribute -->
<!-- credentialAttributeName should match the CyberArk response. Refer the sample CyberArk response in the comment -->
<CredentialAssociation applicationName="Test-Application" attributeName="user" credentialAttributeName="PassProps.UserName">
<Attributes>
<Map>
<!-- In CyberArk, use the name value under Account Details. Refer one of the previous comment which has screenshot -->
<entry key="object" value="Name value from the cyberark account"/>
</Map>
</Attributes>
</CredentialAssociation>
<CredentialAssociation applicationName="Test-Application" attributeName="password" credentialAttributeName="Password">
<Attributes>
<Map>
<entry key="object" value="Name value from the cyberark account"/>
</Map>
</Attributes>
</CredentialAssociation>
</CredentialSource>
</List>
</value>
</entry>
</Map>
</Attributes>
</Configuration>
</sailpoint>
Sample CyberArk Response:
<Elements>
<Element>
<ElementType>PasswordResponse</ElementType>
<ResponseBase>
<ResponseId>1</ResponseId>
<PasswordResponse>
<Password>*****</Password>
<Flags>0</Flags>
<AlterPassword>*****</AlterPassword>
<PassProps>
<AccountDescription>Sailpoint test account for credential Cycling</AccountDescription>
.
.
<UserName>xyz-username</UserName>
.
.
<Environment>Non-Prod</Environment>
</PassProps>
<PasswordChangeInProcess>false</PasswordChangeInProcess>
</PasswordResponse>
</ResponseBase>
</Element>
</Elements>
Hope it is helpful
Does the credential cycling require PAM License from SailPoint Vendor or it can be configured without license.
@PrashRai Were you able to get an answer to your question regarding Credential Cycling and the need for a PAM License?
@PrashRai Yes you need a PAM license from Sailpoint to use credential cycling...