Liquibase CyberArk PAM Vault Extension

Natively read your CyberArk PAM (Privileged Access Manager) based vault secrets in Liquibase. For more information, see CyberArk PAM documentation.

Supported products

Liquibase Pro

Requirements

  • Liquibase 4.10+
  • Liquibase Pro license
  • CyberArk PAM Vault with API enabled
  • RootCA certificate in your Java security keystore (typically cacerts)

Installation

The easiest way to install this extension is with lpm (Liquibase Package Manager).

lpm update
lpm add cyberarkpam-vault

Setup

A Liquibase Pro License key is required.

Required parameters

            --vault-addr=PARAM
    URL for CyberArk PAM Vault Server
    (liquibase.vault.addr)
    (LIQUIBASE_VAULT_ADDR)
    [deprecated: --vaultAddr]

--vault-certfile=PARAM
    Certificate for CyberArk PAM Vault Server
    (liquibase.vault.certfile)
    (LIQUIBASE_VAULT_CERTFILE)
    [deprecated: --vaultCertfile]
        

Adding RootCA certificate in your Java security keystore

Example:

sudo keytool -importcert -alias CyberArkRoot -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/lib/security/cacerts -storepass changeit -file RootCA.crt

If there is an error message showing PKIX exception, you could have imported into the wrong cacerts file. Run liquibase -version to see which JVM Liquibase is using

To debug the SSL connection, you can add this Java environment variable to your command line: -Djavax.net.debug=ssl:handshake

Using secrets in liquibase.properties

Any property in a liquibase.properties file can be stored in CyberArk PAM Vault. Use the syntax VAULT_TYPE,PATH_TO_NAME_IN_PAM,FIELD_TO_MAP to tell the vault plugin which properties to populate from the vault:

username= cyberarkpam,UserName,username
password= cyberarkpam,Content,password

Feedback

Please submit all feedback and issues to this idea board.

Related links