Liquibase CyberArk PAM Vault Extension

You can natively read your application secrets in Liquibase with the CyberArk PAM Vault extension. If you connect to your vault using the liquibase.properties file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes and your Liquibase Pro license key in your vault.

For more information, see CyberArk PAM documentation.

Requirements

Liquibase 4.10.0+
Liquibase Pro license. See How to Apply Your Liquibase Pro License Key
CyberArk PAM Vault with API enabled
RootCA certificate in your Java security keystore (typically cacerts)

Installation

CLI

Navigate to the liquibase-cyberark-pam extension on Maven Central
Download liquibase-cyberarkpam-vault-<version>.jar and move it to the liquibase/lib directory

Liquibase Package Manager

Alternatively, you can install the CyberArk PAM Vault extension with lpm (Liquibase Package Manager).

lpm update
lpm add cyberarkpam-vault

Setup

You must add a RootCA certificate in your Java security keystore. For example:

sudo keytool -importcert -alias CyberArkRoot -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/lib/security/cacerts -storepass changeit -file RootCA.crt

If there is an error message showing PKIX exception, you could have imported into the wrong cacerts file. Run liquibase -version to see which JVM Liquibase is using

To debug the SSL connection, you can add this Java environment variable to your command line: -Djavax.net.debug=ssl:handshake

Usage

You can store any Liquibase property in CyberArk PAM Vault.

Set the VAULT_ADDR and VAULT_CERTFILE attributes as environment variables, as -D Java system properties, or in your liquibase.properties file, OR as a command line attribute as shown in the command line section below.
In CyberArk PAM Vault, configure sensitive properties like your database username, password, URL, and Liquibase Pro license key as secrets.
In your liquibase.properties file or other valid configuration location, specify the path to each secret in your vault. Use the syntax VAULT_TYPE,PATH_TO_NAME_IN_PAM,FIELD_TO_MAP.

The following example shows a liquibase.properties file configured to store secrets in a vault:

Note: liquibase.licenseKey= OR liquibase.licenseKey: are valid ways to indicate the values in the liquibase.properties file.

Copy

liquibase.properties cyberark example

changeLogFile=example-changelog.xml
liquibase.command.url=jdbc:h2:tcp://localhost:9090/mem:dev
liquibase.vault.addr= https://YOUR_CYBERARK_ENDPOINT:18702/AIMWebService/api/Accounts?
AppID=YOUR_APP_ID&Safe=YOUR_SAFE&Folder=root&Object=YOUR_ACCOUNT
liquibase.vault.certfile= YOUR_CERT_PATH/client.p12liquibase.command.username: cyberarkpam,UserName,username
liquibase.command.password= cyberarkpam,Content,password
liquibase.licenseKey=

Command Line Attributes

Attribute	Definition	Requirement
`--license-key`	Your Liquibase Pro license key	Required
`--vault-addr`	URL for CyberArk PAM Vault Server	Required
`--vault-certfile`	Certificate for CyberArk PAM Vault Server	Optional

Feedback

Please submit all feedback and issues to this idea board.