[Advanced] Password Providers

This section allows the administrator to configure an external password provider. These providers request centrally managed passwords for service users automatically.

Currently CyberArk's Central Credential Provider, CCP for short, is the only possible provider that works with Genius Server and only the passwords for service users that are configured within authentication providers can be changed.

You can Add a new provider by clicking Add Cyber Ark, or edit an existing one, by selecting the provider and clicking Edit.

The configuration of this vault is described below. It consists of Connection, Key Store and Query.

To delete an existing provider, select it from the list and then click Trash.

Warning

Please note that after deleting a password provider, the linked authentication providers must be checked with regard to their configuration. It is the responsibility of the administrator to set a correct password for the proxy user. Ideally, you should first create a new password provider, link it to the authentication provider and then remove the password provider that is no longer required.

Connection

Here the connection details of CyberArk's Central Credential Provider, like hostname and port, are configured.

  • Hostname: enter the hostname or IP address of the CCP service.

  • Port: enter the port of the CCP service.

  • Connection timeout: the number of seconds that the CCP will try to retrieve the password. The timeout starting point is calculated when the request is sent from the web service to the vault and returned back to the web service.

Do not forget to press Save to save the changes.

Key Store

This section is needed for the mutual authentication between Genius Server and CyberArk's Central Credential Provider. The public certificate from CCP server and the public or private certificate from the user that has permission to connect to the CCP are needed.

  • Key Store: upload the key store file by either dragging and dropping it or select it from your system by pressing +Select file. Password providers require PKCS#12 files.

  • Key Store Password: enter the key store password.

  • Confirm Key Store Password: confirm the above entered password by entering it again.

  • Key Password: enter the password for the private key.

  • Confirm Key Password: confirm the above entered password by entering it again.

Do not forget to press Save to save the changes.

Note

To trust external servers (TLS connection), please import the required certificates in the trust store of Genius Server. The configuration for this can be found in the Genius Server Configuration Tool (Advanced -> Base -> Certificate).

Query

The request parameters, that are sent to CyberArk's Central Credential Provider, are defined here. These parameters can include information about the requesting application (in our case Genius Server) and the reason for the request. Most importantly: the password that is to be retrieved can be uniquely identified here.

The configuration values in this section are optional and depend on the configuration of the corresponding CyberArk Central Credential Provider. Please request the required parameters from the administrator of the Central Credential Provider.

Hint

When using Query as search criterion, all other criteria (safe, folder, object, UserName, Address, PolicyID and Database) are ignored, so you do not have to fill in those fields, when you plan to fill in the Query field.

  • App ID: enter the unique ID of the application issuing the password request.

  • Safe: enter the name of the safe where the password is stored.

  • Folder: enter the name of the folder where the password is stored.

  • Object: enter the name of the password object to retrieve.

  • Username: define the search criteria according to the UserName account property.

  • Address: define the search criteria according to the Address account property.

  • Database: define the search criteria according to the Database account property.

  • Policy ID: define the format that will be used in the setPolicyID method.

  • Query: a free query using account properties, including safe, folder and object. When this method is specified, all other search criteria (see above), are ignored and only the account properties that are specified in this field are passed to the Central Credential Provider in the password request.

The filter criteria for the password retrieval. The query format is:

Safe=<safe>; Folder=<folder>; Object=<password>; Username=<username>; Address=<address>; PolicyID=<policyID>; Database=<database>

You can add any other available account properties. All parameters are optional. If you specify safe and object, but not folder, the root folder will be used by default. If you do not specify safe and object, the Central Credential Provider will search in all folders starting from the root folder. Make sure that the name or the value of the account property does not include a special character, such as ; (semi-colon). In addition, make sure that the name of the account property does not include a space.

  • Query Type: the query format, which can optionally use regular expressions.

    • exact: indicates that the specified parameter values are exact values.

    • regexp: indicates that the specified parameter values are regular expressions. To specify an exact account property match in a regular expression, the value must begin with ^ and end with $. To specify free text ("wildcard"), use an asterisk (*).

  • Reason: the reason for retrieving the password. This reason will be audited in the Credential Provider audit log.

  • Fail on Change: if set to ON, an error will be returned if this web service is called when a password change process is underway.

Do not forget to press Save to save the changes.