CyberArk CCP

Prev Next

Maverics Orchestrator can retrieve secrets from CyberArk CCP.

CyberArk CCP is using certificate authentication method, so you need to provide the path to the root CA certificate, client certificate, and client key.

To load secrets from the CCP, set the environment variable MAVERICS_SECRET_PROVIDER in the file /etc/maverics/maverics.env

MAVERICS_SECRET_PROVIDER="cyberarkccp://secrets.mydomain.com?appID=some-app-id&safe=some-safe&caFile=rootCA.crt&certFile=client.crt&keyFile=client.pem"

Optionally, you can specify folder parameter as well.

MAVERICS_SECRET_PROVIDER="cyberarkccp://secrets.mydomain.com?appID=some-app-id&folder=my-folder&safe=some-safe&caFile=rootCA.crt&certFile=client.crt&keyFile=client.pem"

For more detailed parameters description, please refer to the CyberArk CCP documentation.

If paths to your certificate files contain special characters or spaces, they should be URL encoded, similarly as you would treat other URL query parameters. For example, if your key file is located at /etc/my keys/the key.pem, the keyFile parameter should be:

keyFile=%2Fetc%2Fmy%20certs%2Fthe%20key.pem

Multi-line secrets support

Currently CyberArk CCP does not officially support multi-line password values. In order to get around this limitation, we are providing an optional new line delimiter parameter newLineDelim to reference multi-line secrets such as certificates.

newLineDelim defines the delimiter character(s) such that if the string pattern is found in the password value, it will be replaced with the new line character \n.

For example:

Your password may look like this,

FirstLine
SecondLine
ThirdLine

In CCP, store your password with a delimiter that replaces the new line character(s). In this example, the ^ symbol was chosen as the delimiter.

FirstLine^SecondLine^ThirdLine

Finally, add the following query parameter to the secret provider url. ^ is the url encoded value for ^.

newLineDelim=%5E

Loading certificates from the Windows Store

If you wish to load a certificate from the Windows Store, you can use a thumbprint or subject of a desired auth certificate or root CA. For an authentication cert, use winCertThumbprint or winCertSubject parameters. For root CA, use winRootCAThumbprint or winRootCASubject parameters.

If you are using root CA thumbprint and do not provide the subject or file, the default system certificates will be loaded.

Example with thumbprint:

MAVERICS_SECRET_PROVIDER="cyberarkccp://secrets.mydomain.com?appID=some-app-id&safe=some-safe&winCertThumbprint=1234567890ABCDEF1234567890ABCDEF12345678&winRootCAThumbprint=1234567890ABCDEF1234567890ABCDEF12345678"

With subject:

MAVERICS_SECRET_PROVIDER="cyberarkccp://secrets.mydomain.com?appID=some-app-id&safe=some-safe&winCertSubject=cert.example.com&winRootCASubject=ca.example.com"

Using secrets in configuration

To declare a value as a secret in a maverics.yaml config file, wrap the secret (object name) with angle brackets:

connectors:
  - name: okta
    type: okta
    apiToken: <oktaAPIToken>
    oauthClientID: <oktaOAuthClientID>
    oauthClientSecret: <oktaOAuthClientSecret>

CyberArk CCP secret provider is only capable of returning secrets in a form of a single line string.