Secrets in Code

You can use the Secret object in your JSON code when you do not want to expose confidential information in the source—for example, the Password field in a connection profile. The value of the secret is obtained from a vault and is resolved during deployment.

You can save secrets in the following vault types:

Control-M Vault Secrets

The following syntax is used to reference a secret stored in a Control-M vault:

Copy
"<parameter>" :  {"Secret": "<secret name>"}

You can use secrets in code, as follows:

Copy
{
    "Type": "ConnectionProfile:Hadoop",
    "Hive": {
        "Host": "hiveServer",
        "Principal": "a@bc",
        "Port": "1024",
        "User": "emuser",
        "Password": {"Secret": "hive_dev_secret"}
    }
}

For information about managing secrets of this type, see Secrets Configuration.

External Vault Secrets

The following example shows the syntax of references to secrets stored in an external, third-party vault. You can use these secrets in password-type fields in several types of centralized connection profiles—File Transfer connection profiles orconnection profiles for plug-ins developed in Control-M Application Integrator (including Control-M Integrations developed by BMC). Secrets from an external vault are supported only in centralized connection profiles. Use of secrets in centralized connection profiles requires Control-M/EM 9.0.21.300 or higher.

The following example shows an Application Integrator connection profile with two types of CyberArk secrets.

Copy
 {
    "NEW-CCP": {
        "Type": "ConnectionProfile:ApplicationIntegrator:AI ainew",
        "Description": "",
        "Centralized": true,
        "AI-RunAs-Pass": {
            "Secret": {
                "Type": "Secret:CyberArkVault:Basic",
                "AppID": "finance",
                "Safe": "financeDept",
                "Folder": "Root",
                "Object": "oracleSalaryService",
                "Reason": "I need it to export salaries for VP"
            }
        },
        "AI-Run As": "",
        "AI-mysecret": {
            "Secret": {
                "Type": "Secret:CyberArkVault:QueryBased",
                "AppID": "finance",
                "Query": "Safe=finDep;title=Sr;Department=IT",
                "Reason": "I need to build a report on salaries from IT"
            }
        }
    }
}

The following table lists the parameters of a CyberArk secret, which enable Control-M Automation API to locate and retrieve the secret from the external vault:

Parameter

Type

Description

Type

NA

Determines one of the following vault types and/or methods to locate and retrieve the secret:

  • Secret:CyberArkVault:Basic: Defines default CyberArk parameters

  • Secret:CyberArkVault:QueryBased: Enables you to include additional CyberArk parameters

AppID

  • Secret:CyberArkVault:Basic

  • Secret:CyberArkVault:QueryBased

Defines the unique ID of the application that issues the password request.

Maximum length: 128

Safe

Secret:CyberArkVault:Basic

Defines the name of the CyberArk Safe where the password is stored.

Maximum length: 28

Folder

Secret:CyberArkVault:Basic

Defines the name of the folder where the password is stored.

Maximum length: 160

Default: Root

Object

Secret:CyberArkVault:Basic

Defines the name of the password object to retrieve.

Maximum length: 165

Query

Secret:CyberArkVault:QueryBased

Defines a query for the location and retrieval of the secret. This query enables you to include additional CyberArk properties.

Maximum length: 2048 characters

The query has the following format:

Copy
property1=value1;property2=value2;property3=value3
  • The query must uniquely define a single secret.

  • For more information about properties that you can include in the query, see CyberArk Documentation.

  • Properties and values are subject to CyberArk restrictions.

  • The query format is Exact. Regular expressions are not supported.

Reason

  • Secret:CyberArkVault:Basic

  • Secret:CyberArkVault:QueryBased

Defines the reason for the request.

Maximum length: 344