Maverics Orchestrator can retrieve secrets from CyberArk CCP.
CyberArk CCP is using certificate authentication method, so you need to provide the path to the root CA certificate, client certificate, and client key.
To load secrets from the CCP, set the environment variable MAVERICS_SECRET_PROVIDER
in the file /etc/maverics/maverics.env
MAVERICS_SECRET_PROVIDER="cyberarkccp://secrets.mydomain.com?appID=some-app-id&safe=some-safe&caFile=rootCA.crt&certFile=client.crt&keyFile=client.pem"
Optionally, you can specify folder
parameter as well.
MAVERICS_SECRET_PROVIDER="cyberarkccp://secrets.mydomain.com?appID=some-app-id&folder=my-folder&safe=some-safe&caFile=rootCA.crt&certFile=client.crt&keyFile=client.pem"
For more detailed parameters description, please refer to the CyberArk CCP documentation.
If paths to your certificate files contain special characters or spaces, they should be URL encoded, similarly as you would treat other URL query parameters. For example, if your key file is located at
/etc/my keys/the key.pem
, thekeyFile
parameter should be:keyFile=%2Fetc%2Fmy%20certs%2Fthe%20key.pem
Multi-line secrets support
Currently CyberArk CCP does not officially support multi-line password values. In order to get around this limitation, we are providing an optional new line delimiter parameter newLineDelim
to reference multi-line secrets such as certificates.
newLineDelim
defines the delimiter character(s) such that if the string pattern is found in the password value, it will be replaced with the new line character \n
.
For example:
Your password may look like this,
FirstLine
SecondLine
ThirdLine
In CCP, store your password with a delimiter that replaces the new line character(s). In this example, the ^
symbol was chosen as the delimiter.
FirstLine^SecondLine^ThirdLine
Finally, add the following query parameter to the secret provider url. ^
is the url encoded value for ^
.
newLineDelim=%5E
Loading certificates from the Windows Store
If you wish to load a certificate from the Windows Store, you can use a thumbprint or subject of a desired auth certificate or root CA. For an authentication cert, use winCertThumbprint
or winCertSubject
parameters. For root CA, use winRootCAThumbprint
or winRootCASubject
parameters.
If you are using root CA thumbprint and do not provide the subject or file, the default system certificates will be loaded.
Example with thumbprint:
MAVERICS_SECRET_PROVIDER="cyberarkccp://secrets.mydomain.com?appID=some-app-id&safe=some-safe&winCertThumbprint=1234567890ABCDEF1234567890ABCDEF12345678&winRootCAThumbprint=1234567890ABCDEF1234567890ABCDEF12345678"
With subject:
MAVERICS_SECRET_PROVIDER="cyberarkccp://secrets.mydomain.com?appID=some-app-id&safe=some-safe&winCertSubject=cert.example.com&winRootCASubject=ca.example.com"
Using secrets in configuration
To declare a value as a secret in a maverics.yaml
config file, wrap the secret (object name) with angle brackets:
connectors:
- name: okta
type: okta
apiToken: <oktaAPIToken>
oauthClientID: <oktaOAuthClientID>
oauthClientSecret: <oktaOAuthClientSecret>
CyberArk CCP secret provider is only capable of returning secrets in a form of a single line string.