PingFederate Server

Using passwords in secret managers to access datastores

You can configure instances of PingFederate’s datastore plugins to retrieve datastore account passwords that are stored in an external secret management system (secret manager).

Before you begin

Before performing this task, you must:

  • Install the CyberArk Credential Manager or another secret manager

  • Integrate the secret manager with PingFederate

  • Add the datastore passwords to the secret manager

  • Configure an instance of PingFederate’s secret manager plugin to access the secret manager

About this task

Instead of storing passwords for LDAP directories, JDBC databases, and REST API datastores in PingFederate, you can securely store the passwords in a secret manager for maintaining passwords and other secrets. When PingFederate needs to access a datastore, it uses a reference code to request the password from the secret manager. However, before that can happen, you must generate a reference code for the datastore password and add it to the datastore plugin instance.

To generate a reference code for a datastore password and add it to a datastore plugin instance:

Steps

  1. Use an instance of the secret manager plugin to generate a reference code for the datastore’s password:

    1. In the PingFederate administrative console, go to System → External Systems → Secret Managers.

      Result:

      The Secret Managers window opens.

    2. Click the name of the secret manager plugin instance.

      Result:

      The Secret Manager window opens.

    3. Go to the Actions tab.

    4. In the Generate section, enter each Parameter Value that PingFederate needs to retrieve the datastore password.

      The values depend on the name and location of the password in the CyberArk Credential Provider. Optionally, you can specify in the reference code that PingFederate will also retrieve the username for the datastore account.

    5. Click Generate.

      Result:

      PingFederate generates and displays the password’s reference code. The code is composed of obfuscation code OBF:MGR, the plugin instance’s ID, and the parameters you specify on this tab.

    6. Copy the reference code.

    7. Optional: To verify that PingFederate can use the reference code to retrieve a password, paste the code into the Secret Reference field. Then click Validate.

      Result:

      PingFederate requests the password from the CyberArk Credential Provider and then displays whether the request succeeded.

  2. Add the password’s reference code to the datastore plugin instance using one of the following methods, depending on whether the plugin is for an LDAP directory, JDBC database, or REST API datastore:

    Choose from:

    • For an LDAP directory, go to the plugin instance’s LDAP Configuration tab, set Credential Storage to Secret Manager, and enter the Password Reference code that you generated above.

    • For a JDBC database, go to the plugin instance’s Database Config tab, set Credential Storage to Secret Manager, and enter the Password Reference code that you generated above.

    • For a REST API datastore, go to the plugin instance’s Configure Data Store Instance tab, and enter the Password Reference code that you generated above.

    If you configured the reference code with Retrieve Username enabled, PingFederate will ignore the username defined in the datastore plugin instance.