| Revision Number | Author | Summary |
|---|---|---|
| 20240401-01 | David Hisel | Version 1.0 |
| 20240418-01 | David Hisel | Version 1.1 – Add Credential Provider |
- General Requirements
- Linux Host Configuration
- GitGuardian Configuration
- Create the GitGuardian Webhook
- Install and Build the Integration Service
- Credential Provider Installation
- Install and Build the Integration Service with Credential Provider
- Configure The CP Integration Service
- Create a CP startup script
Customers must have the following in order to implement this capability:
-
Privilege Cloud Account
- Safe created for storing Pending accounts
- User that has access to the Pending safe with sufficient permissions to add accounts to the safe
- CPM Plugin installed – CPM plugin can be downloaded from the CyberArk marketplace
-
Linux Host – this is where the integration application will run
-
PostgreSQL (or PostgreSQL compatible) database accessible by the Linux Machine
-
Gitguardian Account
- Personal Access Token
- Webhook Authorization Token
To enable the Credential Provider feature, the customer must have the Credential Provider installed to the Linux host machine where the integration application is running.
Additional requirements to enable the Credential Provider feature:
-
Install Credential Provider on Linux host
- CP Service
- CP SDK
-
Privilege Cloud Account
- “CyberArk GitGuardian Integration Host” Platform Installed – Download from the CyberArk marketplace
-
Git and Go lang installed
-
Network configured to allow incoming GitGuardian webhook requests
-
Front-end proxy installed, NGINX, to proxy pass to the integration and termination point for SSL traffic
- Hostname resolves in DNS
- SSL Certs created for the endpoint
-
Login to a linux host where you will run the integration service
-
Install NGINX
-
Configure NGINX to be a frontend proxy; here is an example configuration where the hostname has been added to DNS as “webhook1.example.com” and the associated SSL certificates have been created and are available on the linux host for NGINX. Example config:
server {
listen 443 ssl;
server_name webhook1.example.com;
ssl_certificate ssl/webhook1.example.com/webhook1.example.com.cer;
ssl_certificate_key ssl/webhook1.example.com/webhook1.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://localhost:9191;
include proxy_params;
}
}- Endpoint defined for the integration, ex: https://webhook1.example.com/
This is used when calling HMSL to avoid the daily limit of 5 requests per day; GitGuardian login url: https://dashboard.gitguardian.com/
-
Go to the GitGuardian dashboard and navigate to the API screen
-
Click on the Create Token button to create the PAT
-
Check the “Scan” checkbox, and click create token
- Copy the token and save it for configuring the integration
This is used when calling HMSL to avoid the daily limit of 5 requests per day; GG login url: https://dashboard.gitguardian.com/
-
Navigate to the Integrations and then to the Secrets Manager section
-
Click the install button and configure the integration – Copy the webhook token this will be used in the integration configuration.
- Create a directory to hold the integration code and change into the directory
mkdir work
cd work- Clone the git repo to the machine
git clone
https://github.com/conjurdemos/cyberark-gitguardian-hmsl-remediation-integration-service.git- Change into the repo directory
cd cyberark-gitguardian-hmsl-remediation-integration-service- Compile the binaries using make:
make build-all-bins- Obtain connection information for the PostgreSQL server
Example:
db user: DBUSER
db pass: DBPASS
db host: localhost
db port: 26527
db name: brimstone (database name)
Using these parameters would create the connection string:
-dburl "postgresql://DBUSER:DBPASS@localhost:26257/brimstone"
- Obtain connection information for the Privilege Cloud account
Example:
ID Tenant ID: ID_TENANTID
Privilege Cloud Tenant ID: PCLOUD_TENANTID
Privilege Cloud Service User: PCLOUD_SERVICE_USER
Privilege Cloud Service User Pass: PCLOUD_SERVICE_USER_PASS
Pending Safe name: PENDING_SAFENAME
Using these parameters to populate the service configuration
configuration
-idtenanturl "https://ID_TENANTID.id.cyberark.cloud"
-pcloudurl "https://PCLOUD_TENANTID.privilegecloud.cyberark.cloud"
-pamuser "PCLOUD_SERVICE_USER"
-pampass "PCLOUD_SERVICE_USER_PASS"
-safename "PENDING_SAFENAME"
- Determine the port that the service will listen on; this will be the port that the NGINX server is configured to proxy pass
Example:
listen on port 9191
Using this to populate the configuration parameter
-port "9191"
- Generate an API key that the service will use to authenticate incoming requests with
Example:
generate a dev API key with value: dev123
Using this to populate the configuration environment variable
export BRIMSTONE_API_KEY="dev123"
- Using the configuration information gathered, fill in the appropriate fields in the example script, save the script in the “./bin” directory
#!/usr/bin/bash
# set the value of the API key for authn to brimstone
export BRIMSTONE_API_KEY="dev123"
# set this to the value of the GitGuardian API Token
export GG_API_TOKEN="abc123"
# set this to the value of the GitGuardian Webhook token presented
# when configuring the webhook
export GG_WEBHOOK_TOKEN="xxx"
./bin/brimstone -d \
-hmslurl "https://api.hasmysecretleaked.com" \
-hmslaudtype "hmsl" \
-ggapiurl "https://api.gitguardian.com" \
-ggapitokenvar "GG_API_TOKEN" \
-ggwebhooktokenvar="GG_WEBHOOK_TOKEN" \
-keyvar "BRIMSTONE_API_KEY" \
-dburl "postgresql://DBUSER:DBPASS@localhost:26257/brimstone" \
-port "9191" \
-idtenanturl "https://ID_TENANTID.id.cyberark.cloud" \
-pcloudurl "https://PCLOUD_TENANTID.privilegecloud.cyberark.cloud" \
-pamuser "PCLOUD_SERVICE_USER" \
-pampass "PCLOUD_SERVICE_USER_PASS" \
-safename "PENDING_SAFENAME" \> ./bin/brimstone.log 2\>
./bin/brimstone-err.log- Run the script to check that everything is configured properly
bash ./bin/local-start-script.sh- Check the logs to verify it is running properly
tail ./bin/brimstone.log
# Check log output
tail ./bin/brimstone-err.log
# Check log outputInstall the Credential Provider on the same linux host where you will run the integration application. Follow this link and follow the instructions to install the CP:
Credential Provider Documentation
URL: https://docs.cyberark.com/credential-providers/latest/en/Content/CP+and+ASCP/lp_cp.htm
Installation of CP service:
Installation of SDK:
Configuring the SDK:
Note: where it says to copy the files into a /usr/lib directory, copy
the files, and do not symlink to the files.
- Create a directory to hold the integration code and change into the directory
mkdir work
cd work- Clone the git repo to the machine
git clone
https://github.com/conjurdemos/cyberark-gitguardian-hmsl-remediation-integration-service.git- Change into the repo directory
cd cyberark-gitguardian-hmsl-remediation-integration-service- Compile the binaries using make:
make build-all-bins-
Download the zip file from the CyberArk marketplace
-
Import into the Privilege Cloud account
Go to: Administration -> Platform Management -> Import platform
-
The new platform should show up under “Applications”
-
Create account for database using PostgreSQL platform
Go To Accounts View
Click on Add Account
-
Select system type “Database”
-
Select platform “PostgreSQL”
-
Select safe where to add the account, for this example, we have created safename “IntegrationHostSafe” – This is the safe where the integration credentials will be stored
-
Fill in the properties for the database, use the values gathered from setting up the database step, then click save button
-
-
Create account for integration service using CyberArk GitGuardian Integration Host platform
-
Select system type “Application”
-
Select platform “CyberArk GitGuardian Integration Host”
-
Select safe where to add the account, for this example, we have created safename “ExamplePendingSafe” – This is the safe where the integration credentials will be stored
-
Fill in the properties for the integration host, use the values gathered from setting up the linux host step, then click the save button
-
-
Navigate to Applications
-
Click on Add Application
-
Add a name for the application, this will be used in the configuration in the startup script, placeholder in the startup script is INTEGRATION-HOST-APPLICATION-NAME, in the screenshot the value from the “Name:” field is what you will use in the startup script.
- Using the configuration information gathered, fill in the appropriate fields in the example script, save the script in the “./bin” directory
#!/usr/bin/bash
./bin/brimstone-cp -d \
-safename "SAFENAME-WHERE-INTEGRATION-HOST-SETTINGS-ARE-STORED" \
-hostobjname "CYBR-GG-INTEGRATION-HOST-ACCOUNT-NAME" \
-dbobjname "POSTGRESQL-ACCOUNT-NAME" \
-appid "INTEGRATION-HOST-APPLICATION-NAME" \</dev/null \>
./bin/brimstone-cp.log 2\> ./bin/brimstone-cp-err.log- Run the script to check that everything is configured properly
bash ./bin/local-start-script-cp.sh- Check the logs to verify it is running properly
tail ./bin/brimstone-cp.log
# Check log output
tail ./bin/brimstone-err-cp.log
# Check log output