DOWNLOAD : The Cloud Data Integration Checklist from TDWI

Build an Enterprise Level Password Vault with Talend and CyberArk

Build an Enterprise Level Password Vault with Talend and CyberArk

  • Abhilash Nagilla
    Abhilash Nagilla is a Senior Consultant at Talend. In this role Mr. Nagilla is a trusted adviser to Talend customers empowering them to optimally leverage their investment in Talend. Mr. Nagilla has over 7 years of Talend experience specializing in the areas of Big Data, Cloud, Data Warehousing, Data Governance and Data Quality.

Major data breaches are becoming more common. Big data breaches may include password data (hopefully hashed), potentially allowing attackers to login to and steal data from our other accounts or worse.

The majority of people use very weak passwords and reuse them. A password manager assists in generating and retrieving complex passwords, potentially storing such passwords in an encrypted database or calculating them on demand.

In this article, we are going to show how easy it is for Talend to integrate with enterprise password vaults like Cyberark. By doing this no-developer has direct access to sensitive passwords, Talend need not know password during compile(design) time, and password management (change/update password) is done outside of Talend. This saves administrators time as well as improves the security of the overall environment.

An Introduction Password Security with CyberArk

CyberArk is an information security company offering Privileged Account Security, is designed to discover, secure, rotate and control access to privileged account passwords used to access systems throughout the enterprise IT environment.

Create a CyberArk Safe

To get started, we first need to build our safe. A safe is a container for storing passwords. Safes are typically created based on who will need access to the privileged accounts and whose passwords will be stored within the safe.

For instance, you might create a safe for a business unit or for a group of administrators. The safes are collectively referred to as the vault. Here’s a step-by-step guide on how to do that within CyberArk.

Login to CyberArk with your credentials.

Navigate to Policies -> Access Controls(Safes) -> Click on “Add Safe”.

Create a safe.

You will need a CyberArk safe to store objects.

Creating the Application

Next, we need to create the application we will use in order to retrieve the credential from the vault. Applications connect to CyberArk using their application ID and application characteristics. Application characteristics are additional authentication factors the applications created in the CyberArk.

Each application should have a unique application ID (application name). We can change it later, but it may also require code change on the client side where this application is used to get the password. In our case, it’s Talend Code. Here's how to do this. 

Navigate to Applications and click on “Add Application”.

Now we have CyberArk – account and application id. Now give permissions to application id to retrieve credentials. Click on the Allowed Machines tab and enter the IP’s of the servers from where Talend will retrieve credentials.

Access to Applications from Safe

Navigate to policies -> access controls(safe) -> select your safe and click on members

Click on add member and search for your application, select it and check appropriate accesses and add it.

Now the next step is to install the credential provider in the development environment.

Installing credential provider (CP)

In order to retrieve credentials, we need to install a CyberArk module in the same box as your application (client) is running. This will deliver a Java API that will call the credential provider and talks to your application through Java API and then talks to CyberArk vault through their own proprietary protocol and retrieve the credentials that you need and then delivers back to your application through the Java API.

You will need to login to the CyberArk Support Vault in order to download the Credential Provider.

Retrieve password from Talend using Java API

Last but not least, we need to build a password retrieval mechanism with Talend. Create a Talend job with tLibrary_Load and a tjavaFlex.

Configure tLibraryLoad to “JavaPasswordSDK.jar” path. This is make sure that “JavaPasswordSDK.jar” is added to classpath by Talend during compilation.

And on tJavaFlex, navigate to advanced settings and make sure you import necessary classes for implementation.

In the basic setting of the tjavaFlex, below code is written to call CyberArk using Java API.

try

{

PSDKPasswordRequest passRequest = new PSDKPasswordRequest ();

PSDKPassword password = null;



passRequest.setAppID ("Talend_FS");

passRequest.setSafe ("Test");

passRequest.setFolder ("root");

passRequest.setObject ("Operating System-UnixSSH-myserver.mydomain.com-root");

passRequest.setReason ("This is a demo job for password retrival");





// Sending the request to get the password

password = javapasswordsdk.PasswordSDK.getPassword (passRequest);

// Analyzing the response

System.out.println ("The password UserName is : " +password.getUserName ());

System.out.println ("The password Address is : " +password.getAddress ());

context.dummy_password= password.getContent ();

System.out.println("password retrieved from cyberark's vault is -- context.dummy_password ==>> "+context.dummy_password);



}

catch (PSDKException ex)

{

System.out.println (ex.toString ());

}

Save the job and execute it.

Conclusion

The CyberArk Application Identity Manager™, integrated with Talend, provides secured credentials for Talend to conduct in-depth data reporting and analytics. 

Below are a few quick key benefits that an enterprise would get by leveraging CyberArk’s applications with Talend:

  • Eliminating hard-coded credentials
  • Securely store and rotate applications credentials
  • Authenticate Applications
  • Deliver Enterprise level scaling and availability

Above all, Talend integrates seamlessly with CyberArk and helps customers in leveraging all the benefits provided by CyberArk’s and build an enterprise-level password vault.

Join The Conversation

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Bharat Khanna says:

    Very Good and Interesting Article