You can use the Secret object in your JSON code when you do not want to expose confidential information in the source—for example, the Password field in a connection profile. The value of the secret is obtained from a vault and is resolved during deployment.
You can save secrets in the following vault types:
-
Control-M Vault: A secure collection of secrets, defined as name and value pairs, that you manage through Control-M Automation API. For information about managing such secrets, see Secrets Configuration.
For information about the syntax to reference secrets of this type, see Control-M Vault Secrets.
-
External Vault: A secure repository of sensitive information managed by CyberArk software. For more information about setting up an integration with an external vault, see
You can use secrets from your external vault in password-type fields in the following types of centralized connection profiles:
For information about the syntax to reference secrets of this type, see External Vault Secrets.
Control-M Vault Secrets
The following syntax is used to reference a secret stored in a Control-M vault:
"<parameter>" : {"Secret": "<secret name>"}You can use secrets in code, as follows:
{
"Type": "ConnectionProfile:Hadoop",
"Hive": {
"Host": "hiveServer",
"Principal": "a@bc",
"Port": "1024",
"User": "emuser",
"Password": {"Secret": "hive_dev_secret"}
}
}For information about managing secrets of this type, see Secrets Configuration.
External Vault Secrets
The following example shows the syntax of references to secrets stored in an external CyberArk vault. You can use these secrets in password-type fields in File Transfer connection profiles or in connection profiles for plug-ins developed in Control-M Application Integrator (including Control-M Integrations developed by BMC). Secrets from an external vault are supported only in centralized connection profiles.
This feature requires Control-M/EM 9.0.21.300 or higher.
This example shows an Application Integrator connection profile with two types of CyberArk secrets.
{
"NEW-CCP": {
"Type": "ConnectionProfile:ApplicationIntegrator:AI ainew",
"Description": "",
"Centralized": true,
"AI-RunAs-Pass": {
"Secret": {
"Type": "Secret:CyberArkVault:Basic",
"AppID": "finance",
"Safe": "financeDept",
"Folder": "Root",
"Object": "oracleSalaryService",
"Reason": "I need it to export salaries for VP"
}
},
"AI-Run As": "",
"AI-mysecret": {
"Secret": {
"Type": "Secret:CyberArkVault:QueryBased",
"AppID": "finance",
"Query": "Safe=finDep;title=Sr;Department=IT",
"Reason": "I need to build a report on salaries from IT"
}
}
}
}The following table lists the parameters of a secret, which enable Control-M Automation API to locate and retrieve the secret from the external vault:
|
Parameter |
Type |
Description |
|---|---|---|
|
Type |
NA |
Determines one of the following vault types and/or methods to locate and retrieve the secret:
|
|
AppID |
|
Defines the unique ID of the application that issues the password request. Maximum length: 128 |
|
Safe |
Secret:CyberArkVault:Basic |
Defines the name of the CyberArk Safe where the password is stored. Maximum length: 28 |
|
Folder |
Secret:CyberArkVault:Basic |
Defines the name of the folder where the password is stored. Maximum length: 160 Default: Root |
|
Object |
Secret:CyberArkVault:Basic |
Defines the name of the password object to retrieve. Maximum length: 165 |
|
Query |
Secret:CyberArkVault:QueryBased |
Defines a query for the location and retrieval of the secret. This query enables you to include additional CyberArk properties. Maximum length: 2048 characters The query has the following format: Copy
|
|
Reason |
|
Defines the reason for the request. Maximum length: 344 |
YouTube
Twitter
Facebook
LinkedIn