Using Credential Management Service for Properties of Type Password

Use the credential management service, CyberArk Application Access Manager, to achieve the security in storing the passwords, automatically replace the passwords, and so on. The CyberArk credential management service is more secure than the passwords in clear text format stored in the configuration files.

Prerequisites

  • Set up the CyberArk account for the TIBCO BusinessWorks™ Container Edition application to create a password. To know more, visit the https://www.cyberark.com/ website.
  • Configure the following environment variables:
    • APP_CONFIG_PROFILE = Name of the application profile to be used
    • CYBERARK = Set to true to enable CyberArk credential management service
Follow these steps to modify the properties of field type password.

Procedure

  1. To fetch the password from the credential management service, in the application property editor, select the property of type Password and click .
  2. Choose the Credential Management option.


    The Set Credential Management icon () is displayed next to the password type field.
  3. Click the Set Credential Management icon. The Credential Management window is displayed.
  4. On the Credential Management window, select the credential management service provider, CyberArk, and enter the Cyberark URL in the URL field.


  5. Click OK.
    Note:
    • The credential management service, CyberArk, is supported for Docker only.
    • The query URL configured for a property can be updated during deployment by passing it as an environment variable. The name of the environment variable should be same as the name of the property that needs to be updated. To update the CyberArk URL, the format for the environment variable is as follows:

      <ApplicationModuleName>_<ApplicationProfileName>_<PropertyName>= NEW URL. If the module property or property name has a slash (/) or dot (.) as a separator in between it should be replaced with the underscore (_) separator. For example, an application cyberark.test.application is having a property in under newGroup/newProperty Groups and the profile is set to default, the environment variable should be: cyberark_test_default_newGroup_newProperty=<Updated URL>

    Client Authentication and SSL verification
    • Client certificate: Convert the client certificate to a JKS format and add the certificate in /Resources/addons/certs folder for docker. Pass the following environment variables while executing the application
      • CYBERARK_KEYSTORE_PATH
      • CYBERARK_KEYSTORE_PASSWORD

      For more information on the environment variables, see Environment Variables for Docker.

    • Root CA certificate: Add the Root CA certificate in /Resources/addons/certs folder for docker. While running the application on TIBCO Business Studio™ for BusinessWorks™, add this certificate to the CA keystore located at $BW_HOME/tibcojre64/1.8.0/lib/security/cacerts.