Open in app

Sign in

Write

Sign in

Update TLS Certificate for CyberArk Vault used by CPD

Sanjit Chakraborty
6 min readNov 14, 2023

--

Digital vaults have been used in various industries and scenarios to protect sensitive information and facilitate secure access. Financial institutions use digital vaults to protect customer data, financial records, and transaction details. The healthcare sector used it to secure electronic health records. Government organizations use digital vaults to safeguard classified and sensitive information. Cloud service providers use digital vaults to protect customer data and cryptographic keys. Password management tools can be considered a type of digital vault. They securely store and manage user passwords, enabling users to access various online services and accounts with strong, unique passwords.

You can intergrade a digital vault with Cloud Pak for Data (CPD). That allows you to use a digital vault to control user access to CPD. CyberArk provides network vault technology that you can use to create a digital vault in the same namespace as CPD. Instead of entering passwords, all credentials are pulled from the configured vault whenever required. These credentials are used in memory only and do not persist or be cached in CPD. Certain services available on the CPD platform let authorized users define connections to remote data sources and provide credentials for the system to access these data sources. There are two types of vaults available with CPD.

  • Internal vault: This is the default vault when CPD is installed and configured. By default, the internal vault is accessible through only the Credentials and Secrets API.
  • External vault: An enterprise-grade vault is advisable for running CPD in production. For example, CyberArk and HashiCorp vault technologies.

CyberArk is a widely used digital vault with CPD. The CPD documentation described the process of CyberArk integration with the product. Generally, CyberArk uses a trusted SSL certificate, which needs to be renewed after a year. In this article, I will explain the process of redeploying or renewing an expired CyberArk certificate in CPD. For this purpose, you need:

  • PEM-encoded client certificate.
  • PEM encoded client key.
  • Be the vault owner to update the certificate.
  • Administrator of the OpenShift project to manage the cluster.
  • The certificate serial number must be shared with CyberArk support.
  • Bastion node IP must be added to the CyberArk system.

A) Validate the existing expiration date

Check the certificate validity in the secret configured for the vault access. In this example secret name is cyberark-aam-config .

#Extract certificate validity from secret 
oc get secret cyberark-aam-config -o=jsonpath='{.data.client_cert}' | \
base64 --decode | openssl x509 -text

B) Recreate the CyberArk secrets in the CPD namespace

It is easier to drop and create the secret with a new cert and key, rather than update the existing one.

#Login to OCP 
oc login 

#Set the context
oc project <project-name>

#Take backup of the existing secret
oc get secret cyberark-aam-config -o yaml | \
tee cyberark-aam-config_<date>_<env_name>.yaml

#Delete the existing secret
oc delete secret cyberark-aam-config

#Create secret with new cert and key pair
oc create secret generic cyberark-aam-config \
--from-literal=host=https://<URL_TO_THE_AAM_INSTANCE>:<PORT_NUMBER> \
--from-literal=app_id=<AAM_APP_ID> \
--from-file=client_cert=./client.crt \
--from-file=client_key=./client.key

#Example of create secret with new cert and key pair
oc create secret generic cyberark-aam-config \
--from-literal=host=https://cyberarkccp.xyz.co \
--from-literal=app_id=CCP_P \
--from-file=client_cert=./cert.crt \
--from-file=client_key=./cert.key

C) Add new certificate serial number to CyberArk

You need to share the new certificate serial number with the CyberArk administrator to add it on the CyberArk Application Access Manager side. Check CyberArk documentation for Add application authentication and Update applications .

D) Update custom TLS certificate in the CyberArk Vault

You need to gather some system details before updating the TLS certificate in the CyberArk vault on the CPD side.

  1. CPD URL — URL of the Cloud Pak for Data web client.
oc get ZenService lite-cr -o jsonpath="{.status.url}{'\n'}"

2. Token — Authorization token for vault owner to use APIs. Replace <username> and <password> with the vault owner’s user-id and password:

curl -X POST \
  'https://<CPD URL>/icp4d-api/v1/authorize'\
  -H 'Content-Type: application/json' \
  -d '{
    "username":<username>,
    "password":<password>
}'

3. Vault URN — The path parameter that lets the vault micro-service identify and associate the vault with the user. It follows a specific notation as <creator uid>:<vault_name>.

curl -k -X GET \
 'https://<CPD URL>/zen-data/v2/vaults?limit=2&sort=updated_at&provider_name=cyber,hashi' \
 -H 'Authorization: Bearer <Token>' | jq -r

4. CyberArk Vault Address — URL to access the vault.

oc get secret cyberark-aam-config -o "jsonpath={.data['host']}" | base64 -d

5. Application ID — Vault application ID.

oc get secret cyberark-aam-config -o "jsonpath={.data['app_id']}" | base64 -d

6. Base-64 Encoded TLS key — Value of the new TLS key in base-64 encoded mode.

cat <client key file> | base64

7. Base-64 Encoded TLS certificate — Value of the new TLS certificate in base-64 encoded mode.

cat <certificate pam file> | base64

8. Name of safe — Container that holds multiple privileged accounts and their passwords.

From the CPD navigation menu, select Administration > Configurations
Open the Vaults and secrets tab
Open Secrets tab
Click the secret for safe and account name

9. Account object — Account name used in the secret configuration on the CPD platform. (Similar information can be found in CyberArk UI.)

From the CPD navigation menu, select Administration > Configurations
Open the Vaults and secrets tab
Open Secrets tab
Click the secret for safe and account name

E) Validate Certificate

Validate new certificate using curl command directly against CyberArk. Make sure the certificate and key information are not in base64 encrypted mode. Use the certificate and key as files, along with the full path. If this step fails, fix the problem before proceeding.

#Syntax
curl -ki "https://<CyberArk Vault Address>/AIMWebService/api/Accounts?AppID=<Application ID>&Safe=<Safe>&Object=<AccountName>" \
--cert <new base64 client.crt file> \
--key <new base64 client.pem/key file>

#Example
curl -sv --location --request GET 'https://cyberarkccp.xyz.co/AIMWebService/api/Accounts?AppID=CCP_P_Staging&Safe=P_Staging&Object=Database_P_DB-.tdc.xyz.com-CP4D' \
--cert ./cert.pem \
--key ./cert.key

F) Test integration with external vault

Validate new certificate using existing secret. Curl command will return a JSON output, indicating vault_urn. This must be successful before moving to the next step.

curl -k -X PATCH \
  https://<CPD URL>/zen-data/v2/vaults/<Vault URN>?validate=true \
  -H 'Authorization: Bearer <Token>' \
  -H 'Content-Type: application/json' \
 -d '{    
    "description": "Updating CyberArk AAM vault with new certificate",
    "details": { 
                "vault_address": "<CyberArk Vault Address>",
                "app_id": "<Application ID>",
                "client_key": "<Base-64 Encoded TLS Key>",
                "client_certificate" : "<Base-64 Encoded TLS Certificate>"    
    },
    "test_data" : {"safe": "<Name of Safe>", "account_name" : "<account object>"} 
}'

G) Update external vault with new TLS certificate

Rerun the previous command without test_data and remove validate=true query parameters.

curl -k -X PATCH \
  https://<CPD URL>/zen-data/v2/vaults/<Vault URN> \
  -H 'Authorization: Bearer <Token>' \
  -H 'Content-Type: application/json' \
 -d '{    
    "description": "Updating CyberArk AAM vault with new certificate",
    "details": { 
                "vault_address": "<CyberArk Vault Address>",
                "app_id": "<Application ID>",
                "client_key": "<Base-64 Encoded TLS Key>",
                "client_certificate" : "<Base-64 Encoded TLS Certificate>"    
    }
}'

By offering a high level of data security, digital vaults can be a viable solution for protecting CPD connection credentials online. However, you need to be careful to avoid losing access to the data sources due to an expired TLS certificate used by the digital vault. It is important to set a schedule for checking your TLS configuration and renew the certificate as often as practically possible (at least yearly would be good). e. With almost all critical information being stored online today, having the option of a digital vault is even more important. However, you need to be careful to avoid losing access to the data sources due to an expired TLS certificate used by the digital vault. It is important to set a schedule for checking your TLS configuration and renew the certificate as often as practically possible (at least yearly would be good).

Digital Vault
Secrets
Ibm Cloud Pak For Data
Ssl Certificate
Cyberark

--

--

Sanjit Chakraborty
Sanjit Chakraborty

Written by Sanjit Chakraborty

81 Followers
2 Following

Sanjit enjoys building solutions that incorporate business intelligence, predictive and optimization components to solve complex real-world problems.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams