Overview
More and more customers are using Enterprise Password Vaults (EPV) such as CyberArk to securely store and centrally manage identities and credentials. Delphix has added CyberArk vault support to the Delphix Virtualization Engine via CLI/API as a new authentication option for environments and databases. This minimizes the number of places where credentials need to be stored and therefore the risk of insecure storage.
The following diagram illustrates an overview of the architecture.
The Delphix Engine uses various authentication methods such as username/password, username/ssh key, and Kerberos credentials when connecting to hosts and databases from the Engine. These credentials are stored in metadata service (MDS) in an encrypted format and can be retrieved later to perform various operations. Delphix provides an additional authentication method by integrating Virtualization with the most common vault types (CyberArk). During runtime, Delphix retrieves the credentials (passwords, ssh keys) from the customer's vault servers via API calls and avoids having to manage customer passwords.
This feature allows for integration with only Agentless installations of CyberArk and includes three main stages of operation:
- Vault library
This acts mainly as a bridge to the Password Vault and is included as a dependency in Virtualization to access the vault. All the interactions with the Password Vault are carried out via the Vault Library. The library is mainly implemented to carry out the following two functions: - Configure Password Vaults using host address, port number, applicationId, and certificates (client certificate, private key, and CA certificate).
- Retrieve credentials at runtime from a vault using a unique identifier that locates a set of credentials in a configured vault. This occurs for any activity that requires Environment access (SnapSync, Validated Sync, LogSync, as well as Environment monitoring). This may result in a significant number of requests, so any existing connection rate limits should be evaluated and adjusted accordingly.
Setup App
This allows system administrators to manage (add, delete, modify, and validate) vault configurations during and after setup.
Each engine can have multiple vaults configured that are the same or of a different kind. The vault configurations are stored in files on the Delphix Engine and are accessed to retrieve the credentials. Below is a sample of a vault configuration file.#Properties for CyberArk Vault: DemoVault #Tue Apr 28 09:59:14 PDT 2020 HOST=services-uscentral.skytap.com APP_ID=Delphix PORT=17993 VAULT_NAME=DemoVault
- Virtualization
Integrates the Vault Library into virtualization to allow: - A new credential type VaultCredential when adding/modifying host/database users. The Vault credential constitutes the vault reference added by the system administrator and a unique credential Id which are stored on MDS in separate columns.
- Admins to select a vault from a list of vaults configured on the engine.
- Environment users and Database users to authenticate themselves by retrieving credentials from a password vault when unique identifiers are provided instead of retrieving from MDS.
Roles and Privileges for CyberArk Users
| Role | Privileges |
|---|---|
| System Administrator | Can add, modify, delete, list vault configurations, and retrieve user credentials from vaults. |
| Delphix Administrator | Can list existing vault configurations and retrieve user credentials. |
Setting up a Vault via GUI
Complete setup via the GUI is available for CyberArk as of 6.0.3.0.
- Connect to the Delphix Engine http:// <Delphix Engine>/login/index.html#serverSetup.
- Add a CyberArk CA certificate to the TrustStore as part of the initial configuration. Refer TrustStore Settings for steps to add a CA certificate.
- Click on the Modify link in the top right of the Network Authorization panel.
- On the Network Authorization window, click "+" to add a new vault.
Enter the following information:
Depending upon your requirements, you can set the configurations for the CyberArk vault.Field Possible Value and Data Type Description Vault Type -CyberArk Vaults Name
<user-specified>
Accepts a string value
Specifies the user-specified vault name
Vault Hostname cyberark02.delphix.com
Accepts a URL string value
Specifies the location of the user's vault server
Port 443
Accepts an integer value
Specifies the port number through which the communication will happen
App ID DelphixQADSA
Accepts a string value
Specifies an application ID registered with and provided by CyberArk
Authentication Certificate ——-BEGIN CERTIFICATE—-—
<certificate>
——-END CERTIFICATE—-—
Accepts a string value
Specifies the authentication certificate provided by CyberArk
Private Key <CyberArk-provided>
Accepts a string value
Specifies the private key provided by CyberArk for TLS based authentication
- Click Validate to check the configurations before saving the vault details.
Click Save.
The added configurations can be viewed in the Network Authorization window.
Editing a Vault via the GUI
- Connect to the Delphix Engine http:// <Delphix Engine>/login/index.html#serverSetup.
- Click on the Modify link in the top right of the Network Authorization panel.
- In the Network Authorization window, select a vault, then the pencil icon.
- Edit your configuration.
- Select Edit.
Deleting a Vault via the GUI
- Connect to the Delphix Engine http:// <Delphix Engine>/login/index.html#serverSetup.
- Click on the Modify link in the top right of the Network Authorization panel.
- In the Network Authorization window, select a vault, then select the trashcan icon.
- Select Yes to delete the vault.
Adding a Host user for CyberArk
- Login to the Delphix Management Application and select Manage > Environments.
- Select Add Environment.
- In the Environment Setting tab, select Password Vault as the Login Type.
- Select the vault configuration and provide the username, select the enterprise password vault system, and enter a query string that is a unique identifier pointing to the credentials to be retrieved and complete your environment configuration.
- The environment will be created with the primary user using vault credentials.
Adding a Database user for CyberArk
- Login to the Delphix Management Application.
- Add dSource using database credentials from CyberArk vault by selecting Password Vault as the Login Type.
- Provide the appropriate query string and complete configuration.
Supported Hosts/Databases
All the host users are supported to use vault credentials. For windows users, vault support cannot be used when adding an environment using the Delphix Connector. Existing users on windows environments can be updated to use vault support.
Vault integration is currently only supported for SAP ASE database users and MSSQL domain users using 6.0.2 and later.
Setting up a Vault via CLI
- Login as a system administrator and add a CyberArk CA certificate to the TrustStore as part of the initial configuration.
SSH to <Delphix Engine IP>service passwordVault and enter create.
ip-10-110-230-197 service passwordVault>create
Add a new vault configuration by entering a name, host, port, applicationId, client certificate and private key.
ip-10-110-230-197 service passwordVault create Properties type: CyberArkPasswordVault name: DemoVault (*) applications: Delphix (*) clientCertificate: type: PemClientCertificate (*) clientCertificateChain: (required) privateKey:(required) host: services-uscentral.sktyop.com (*) port: 17993 (*)
Updating an existing vault configuration
Deleting an existing vault configuration
Adding/Modifying host users
Add an environment with user credentials from CyberArk vault. When adding a host/database user with a vault credential, the name field would just be a user identifier and not the actual username. In case, this field is empty a unique identifier is generated with a hash of vault credentials.
Adding/Modifying database users
Add dSource using database credentials from CyberArk vault.
Update Existing Database Users
Convert an existing database to use vault credentials for the existing database user.
ip-10-110-230-197 > sourceconfig ip-10-110-230-197 sourceconfig > select MyOraDB ip-10-110-230-197 sourceconfig "MyOraDB" > update ip-10-110-230-197 sourceconfig "MyOraDB" *> set credentials.type=CyberarkVaultCredential ip-10-110-230-197 sourceconfig "MyOraDB" *> set credentials.vault=MyVault ip-10-110-230-197 sourceconfig "MyOraDB" *> set credentials.queryString="safe-test;folder=root;object=UnixSSH-delphix_db" ip-10-110-230-197 sourceconfig "MyOraDB" *> set db_user="Vault-User" ip-10-110-230-197 sourceconfig "MyOraDB" *> commit
The set db_user="Vault-User" is an optional step. If the db_user field is not changed, then it will continue to hold the old value. This value may no longer be correct, or the change to Vault credentials may represent an increase in the customer's security stance, and they may not want their Delphix Admins to know the username.
Setting up Vault via API
The vault API allows users to add, modify, delete, and list vault configurations and retrieving user credentials on a Delphix Engine.
Endpoint - https://<Delphix Engine IP>/resources/json/delphix/service/passwordVault
Sample API Request
{
"type": "CyberArkPasswordVault",
"name": "DemoVault",
"host": "services-uscentral.skytap.com",
"port": 17993,
"applicationId": "Delphix",
"clientCertificate": {
"type": "PemClientCertificate",
"privateKey": "-----BEGIN PRIVATE KEY-----<>-----END PRIVATE KEY-----",
"clientCertificateChain": {
"type": "PemCertificateChain",
"chain": [
{
"type": "PemCertificate",
"contents": "-----BEGIN CERTIFICATE-----<>-----END CERTIFICATE-----"
}
]
}
}
}
Deleting an existing vault configuration
{
"type": "CyberArkPasswordVault",
"name": "DemoVault",
"host": "services-uscentral.skytap.com",
"port": 17993,
"applicationId": "Delphix",
"clientCertificate": {
"type": "PemClientCertificate",
"privateKey": "-----BEGIN PRIVATE KEY-----<>-----END PRIVATE KEY-----",
"clientCertificateChain": {
"type": "PemCertificateChain",
"chain": [
{
"type": "PemCertificate",
"contents": "-----BEGIN CERTIFICATE-----<>-----END CERTIFICATE-----"
}
]
}
}
}
Adding/Modifying host users
Add an environment with user credentials from CyberArk vault. When adding a host/database user with a vault credential, the name field would just be a user identifier and not the actual username. In case, this field is empty a unique identifier is generated with a hash of vault credentials.
{
"type": "HostEnvironmentCreateParameters",
"primaryUser": {
"type": "EnvironmentUser",
"credential": {
"type": "VaultCredential",
"vault": "CYBERARK_PASSWORD_VAULT-1",
"vaultCredentialId": "safe=test;folder=root;object=UnixSSH-sybase"
}
},
"hostEnvironment": {
"type": "UnixHostEnvironment",
"name": "bbh-env"
},
"hostParameters": {
"type": "UnixHostCreateParameters",
"host": {
"type": "UnixHost",
"address": "bbdhcp-vault-demo.dlpxdc.co",
"toolkitPath": "/work"
}
}
}
Adding/Modifying database users
Add dSource using database credentials from CyberArk vault.
The following a sample API link request for MSSQL Domain User.
{
"type": "LinkParameters",
"name": "ReportServer",
"group": "GROUP-1",
"linkData": {
"type": "MSSqlLinkData",
"config": "MSSQL_SINGLE_CONFIG-5",
"sharedBackupLocations": [],
"encryptionKey": "",
"sourceHostUser": "HOST_USER-3",
"mssqlUser":{
"password": {
"type": "VaultCredential",
"vault": "CYBERARK_PASSWORD_VAULT-2",
"vaultCredentialId": "safe=test;folder=root;object=Database-MSSql-addtully"
},
"type": "MSSqlDomainUser"
},
"pptRepository": "MSSQL_INSTANCE-4",
"pptHostUser": "HOST_USER-3",
"ingestionStrategy": {
"validatedSyncMode": "TRANSACTION_LOG",
"type": "ExternalBackupIngestionStrategy"
},
"sourcingPolicy": {
"logsyncEnabled": false,
"type": "SourcingPolicy"
},
"syncParameters": {
"compressionEnabled": false,
"backupPolicy": "PRIMARY",
"type": "MSSqlNewCopyOnlyFullBackupSyncParameters"
}
}
}