韓誥傭痔

Table of Contents

CyberArk configuration

CyberArk configuration

This section explains how to configure 韓誥傭痔 to retrieve secrets from CyberArk Vault CV12.

The vault should be installed and configured as per the official CyberArk .

To learn about configuring TLS in 韓誥傭痔, see Storage of secrets section.

Database credentials

Access to a secret with database credentials is configured for each 韓誥傭痔 component separately.

Server and proxies

To obtain database credentials for 韓誥傭痔 server or proxy from the vault, specify the following configuration parameters in the configuration file:

Vault - specifies which vault provider should be used.
VaultURL - vault server HTTP[S] URL.
VaultDBPath - query to the vault secret containing database credentials. The credentials will be retrieved by keys 'Content' and 'UserName'.
VaultTLSCertFile, VaultTLSKeyFile - SSL certificate and key file names. Setting up these options is not mandatory, but highly recommended.

韓誥傭痔 server also uses these configuration parameters (except VaultDBPath) for vault authentication when processing vault secret macros.

韓誥傭痔 server and 韓誥傭痔 proxy read the vault-related configuration parameters from zabbix_server.conf and zabbix_proxy.conf upon startup.

Example

In zabbix_server.conf, specify:

Vault=CyberArk
       VaultURL=https://127.0.0.1:1858
       VaultDBPath=zabbix_server&Query=Safe=passwordSafe;Object=zabbix_server_database
       VaultTLSCertFile=cert.pem
       VaultTLSKeyFile=key.pem

韓誥傭痔 will send the following API request to the vault:

$ curl \
       --header "Content type: application/json" \
       --cert cert.pem \
       --key key.pem \
       https://127.0.0.1:1858/AIMWebService/api/Accounts?AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix_server_database

Vault response, from which the keys "Content" and "UserName" should be retrieved:

{
       "Content": <password>,
       "UserName": <username>,
       "Address": <address>,
       "Database" :<Database>,
       "PasswordChangeInProcess":<PasswordChangeInProcess>
       }

As a result, 韓誥傭痔 will use the following credentials for database authentication:

Username: <username>
Password: <password>

Frontend

To obtain database credentials for 韓誥傭痔 frontend from the vault, specify required settings during frontend installation.

At the Configure DB Connection step, set Store credentials in parameter to CyberArk Vault.

Then, fill in additional parameters:

Parameter	Mandatory	Default value	Description
Vault API endpoint	yes	https://localhost:1858	Specify the URL for connecting to the vault in the format `scheme://host:port`
Vault secret query string	yes		A query, which specifies from where database credentials should be retrieved. Example: `AppID=foo&Query=Safe=bar;Object=buzz:key`
Vault certificates	no		After marking the checkbox, additional parameters will appear allowing to configure client authentication. While this parameter is optional, it is highly recommended to enable it for communication with the CyberArk Vault.
SSL certificate file	no	conf/certs/cyberark-cert.pem	Path to SSL certificate file. The file must be in PEM format. If the certificate file contains also the private key, leave the SSL key file parameter empty.
SSL key file	no	conf/certs/cyberark-key.pem	Name of the SSL private key file used for client authentication. The file must be in PEM format.

User macro values

To use CyberArk Vault for storing Vault secret user macro values:

Set the Vault provider parameter in the Administration -> General -> Other web interface section to CyberArk Vault.

Make sure that 韓誥傭痔 server is configured to work with CyberArk Vault.

The macro value should contain a query (as query:key).

See Vault secret macros for detailed information about macro value processing by 韓誥傭痔.

Query syntax

The colon symbol (:) is reserved for separating the query from the key. If a query itself contains a forward slash or a colon, these symbols should be URL-encoded (/ is encoded as %2F, : is encoded as %3A).

Example

In 韓誥傭痔: add user macro {$PASSWORD} with type Vault secret and value: AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix:Content

韓誥傭痔 will send API request to the vault:

$ curl \
       --header "Content type: application/json" \
       --cert cert.pem \
       --key key.pem \
       https://127.0.0.1:1858/AIMWebService/api/Accounts?AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix

Vault response, from which the key "Content" should be retrieved:

{
       "Content": <password>,
       "UserName": <username>,
       "Address": <address>,
       "Database" :<Database>,
       "PasswordChangeInProcess":<PasswordChangeInProcess>
       }

Macro resolves to the value: <password>

Update existing configuration

To update an existing configuration for retrieving secrets from a CyberArk Vault:

Update the 韓誥傭痔 server or proxy configuration file parameters as described in the Database credentials section.
Update the DB connection settings by reconfiguring 韓誥傭痔 frontend and specifying the required parameters as described in the Frontend section. To reconfigure 韓誥傭痔 frontend, open the frontend setup URL in the browser:

for Apache: http://<server_ip_or_name>/zabbix/setup.php
for Nginx: http://<server_ip_or_name>/setup.php

Alternatively, these parameters can be set in the frontend configuration file (zabbix.conf.php):

$DB['VAULT']                    = 'CyberArk';
       $DB['VAULT_URL']                = 'https://127.0.0.1:1858';
       $DB['VAULT_DB_PATH']            = 'AppID=foo&Query=Safe=bar;Object=buzz';
       $DB['VAULT_TOKEN']              = '';
       $DB['VAULT_CERT_FILE']          = 'conf/certs/cyberark-cert.pem';
       $DB['VAULT_KEY_FILE']           = 'conf/certs/cyberark-key.pem';

Configure user macros as described in the User macro values section, if necessary.

To update an existing configuration for retrieving secrets from a HashiCorp Vault, see HashiCorp configuration.