Using Credential Management Service for Properties of Type Password

Use the credential management service, CyberArk Application Access Manager, to achieve the security in storing the passwords, automatically replace the passwords, and so on. The CyberArk credential management service is more secure than the passwords in clear text format stored in the configuration files.

Before you begin

Set up the CyberArk account for the TIBCO BusinessWorks™ Container Edition application to create a password. To know more, visit the https://www.cyberark.com/ website.
Configure the following environment variables:
- APP_CONFIG_PROFILE = Name of the application profile to be used
- CYBERARK = Set to true to enable CyberArk credential management service

Follow these steps to modify the properties of field type password.

Procedure

To fetch the password from the credential management service, in the application property editor, select the property of type Password and click .
Choose the Credential Management option.

The Set Credential Management icon is displayed next to the password type field.
Click the Set Credential Management icon. The Credential Management window is displayed.
On the Credential Management window, select the credential management service provider, CyberArk. Enter information in the following fields to form a Cyberark Query URL:
- Server URL: The base URL of the CyberArk environment in use. This parameter is mandatory.
- AppID: The unique ID of an application issuing password request. This parameter is mandatory.
- Safe: The name of the safe where the password is stored. The Safe field parameter is mandatory, if the parameter in the Query field is not defined.
- Object: The name of the object password to retrieve. The Object field parameter is mandatory, if the parameter in the Query field is not defined.
- Query: Define a free query using account properties, including Safe and Object field parameters. If a query is defined, then the Safe and Object fields are disabled.
Click OK.
Note:
- The credential management service, CyberArk, is supported for Docker only.
- The query URL configured for a property can be updated during deployment by passing it as an environment variable. The name of the environment variable should be same as the name of the property that needs to be updated. To update the CyberArk URL, the format for the environment variable is as follows:
  <ApplicationModuleName>_<ApplicationProfileName>_<PropertyName>= NEW URL. If the module property or property name has a slash (/) or dot (.) as a separator in between it should be replaced with the underscore (_) separator. For example, an application cyberark.test.application is having a property in under newGroup/newProperty Groups and the profile is set to default, the environment variable should be: cyberark_test_default_newGroup_newProperty=<Updated URL>
Client Authentication and SSL verification
- Client certificate: Convert the client certificate to a JKS format and add the certificate in /Resources/addons/certs folder for docker. Pass the following environment variables while executing the application
  - CYBERARK_KEYSTORE_PATH
  - CYBERARK_KEYSTORE_PASSWORD
  For more information on the environment variables, see Environment Variables for Docker.
  These environment variables can also be passed as module properties, to provide a secure way to pass the keystore password.
  To pass them as module properties, create the module properties with the following names
  - CYBERARK_KEYSTORE_PATH with type as string
  - CYBERARK_KEYSTORE_PASSWORD with type as password
- Root CA certificate: Add the Root CA certificate in /Resources/addons/certs folder for docker. While running the application on TIBCO Business Studio for BusinessWorks, add this certificate to the CA keystore located at $BW_HOME/tibcojre64/1.8.0/lib/security/cacerts.

Subtopics