1 Reply Latest reply on Mar 30, 2016 6:02 PM by Ramesh Reddy

    Wildfly integration with Enterprise Password Vault-from CyberArk

    Jayesh Garg Newbie

      I am using Teiid 8.13.3 with a WildFly Server.  I am able to connect my Teiid instance to LDAP Server. However I had to specify a "search-credential" (password) in my configuration. The User that I have to configure needs to be integrated with Password Vault so that all the authentication happens through Password Vault and no password has to be stored in standalone-teiid.xml. Is this possible? How can we achieve that? Password Vault is from Cyberark.

       

       

      Thanks,

      Jayesh



        • 1. Re: Wildfly integration with Enterprise Password Vault-from CyberArk
          Ramesh Reddy Master

          Jayesh,

           

          yes, it is possible. But for it to work you need to develop a custom security domain module (a JAAS security module) and write interfaces into Cyberark to fetch the password, based on the logged in user's credentials or something else. Do you know if Cyberak has any JDBC or rest based interfaces to extract password from it's vault?

           

          There are few moving pieces to solves this, definitely an advanced topic. Since Cyberark is not open source project we will not going to providing such support from community product.

          1) Take a look our code one of login modules like teiid/SimpleLoginModule.java at master · rareddy/teiid · GitHub develop a login module for Cyberark

          2) Deploy above login module in WildFly

          3) Then configure the security-domain using the above login-module in standalone-teiid.xml file. see "security-domain" subsystem there.

          4) Configure LDAP resource adapter to use above security domain. See example here Data Source Security | Teiid Documentation see the fragment

            <security>
            <security-domain>my-security-domain</security-domain>
            </security>

           

          The restart the server, then if you created the Subject correctly with right credentials (PasswordCredential) then LDAP resource-adapter will pick it up from the context and use that as the password.

           

          HTH

          Ramesh..