Start a new topic

Shared Document (SSH) with CyberArk PSMP

Hello,


I would like to create a shared document for my team. One caveat: Our company requires all server access to go through CyberArk PSMP. While this procedure has been already described in https://support.royalapps.com/support/solutions/articles/17000129922-integrating-cyberark-with-royal-ts-x- there doesn't seem to be a way to create a shared document this way (as I cannot reference credentials in personal documents as they would have to contain the hostnames).


Things I've tried:

- Using variables to dynamically set vault user and target user in the username field. Fails because I have no way to dynamically get the name of the target user, this would have to be filled manually for each host. Defeats the purpose.

- Using custom fields for vault user and target user: There is no place to save them outside of the shared document where one would have access to it in the shared document

- A custom appsettings.json would be possible, but I don't think there are custom fields allowed in it


Are there any obvious ways or workarounds I'm missing?


King Regards,

Merlin


Hi Merlin,


I'm not sure I completely understand the requirement. Shouldn't come the credential (and password) from CyberArk using the Dynamic Folder script?

Hi Stefanm


we're not using the Dynamic Folder script (as it is blocked through security restrictions and 2. doesn't offer a list of all relevant endpoints). Instead, we want to have the servers relevant for our team in the shared document. Right now I'm looking for a way to store the vault and target usernames in a way that they can be configured per-user, while still using the servers from the shared document in this CyberArk environment.

Thanks for clarifying. I'm afraid this isn't possible without dynamic folders because the target host and username/password has to be stored as credential. In fact, dynamic folders were the primary solution for this problem. I'm can't think of any other way to make this work in a shared document scenario.

Thanks for the response! In this case, is it possible to have dynamic folders based off of "normal" folders? So that we can create the servers by hand and have the dynamic folder script automatically fill out the credential stuff?

Generally speaking, yes. In your dynamic folder scripts can process any data available in the script. So you basically open a shared document, read out data using our PowerShell cmdlets and generate the dynamic folder json. You can pull in data from other sources too, of course.

Thanks for your time, I got it to work by using the connection string (involving both username fields) into the hostname box. I didn't think this was possible in Royal TS, but it works. Vault username and Target username are set as $EffectiveUsernameWithoutDomain$ and $EffectiveUserdomain$. This way, I can specify a credential by name, which sits outside of the shared document. In the (private) credential I used targetusername\vaultusername for the username, abusing the domain limiter to get two usernames into the field. It definitely is not pretty, but it seems to work rather well.

Glad you found a solution. I'm not sure I understand it though. Can you provide some screenshots how you set that up? Might be helpful for others, I guess.

I'll try my best to summarize it. First of all, this only works with the PuTTY pluign, as the Rebex plugin fails on parsing the hostname.


CyberArks guideline for SSH conncetion strings is:

vaultuser@targetuser#centralmanagement@targetmachine#targetport@targetpassword@proxyaddress

 On an SSH connection in the Shared Document, as "Computer Name", I set:

$EffectiveUsernameWithoutDomain$@$EffectiveUserdomain$@targetmachine@proxyaddress

This works because internally, username and hostname are "just" concatenized, so it shouldn't matter whether you put the username in the hostname field.


Afterwards, in the same shared connection, in the credential settings, I set up "Specify a credential name", and set that name to something generic like "cyberark". It is important that both "Omit Domain" and "Automic Logon" are unchecked, as the first would omit the target user we store in the domain field, and the second option would send the username when we already send it in the hostname field. All of my team members will have to have a local Credential called "cyberark" with their usernames.


image


The credential itself is stored in my local Royal TS document (i.e. non-shared). It looks like this:


image


The TL;DR seems to be: "When you need two usernames, just put one of them in the domain field". Obviously this fails to work when you really need a domain.


Hope this helps, don't hesitate if I can answer more questions!

Thanks for sharing the details. You're right, PuTTY is currently the only plugin which can process something like this. Hopefully this helps other users with similar requirements.

Login or Signup to post a comment