Application Workflow Connection Profiles
The following topics describe the connection profile parameters for application workflow platforms and services:
Airflow Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see Control-M for Airflow.
You must enable the remote REST API access to connect and use Control-M for Airflow, as described in Enabling Remote REST API Access.
The following table describes the Airflow connection profile parameters.
Parameter | Description |
---|---|
Connect To |
Determines whether this connection profile is connected to the one of the following:
|
Service Account Key |
Determines which service account file (JSON) is used to access data in Google Composer. |
Base URL |
Defines the Airflow web UI URL in Google Composer. |
Target Audience |
Defines the JWT (JSON Web Token) audience for the IAP (Identity-Aware Proxy) Google Cloud service. If you do not know the target audience value, define any text value and test the connection profile. The error message indicates the required target audience value. |
Host Name |
Defines the Airflow host name. |
User Name |
Defines the username that is used to log in to the Airflow server. |
Port |
Defines the Airflow port number of the Airflow web server. |
Password |
Defines the password to log in to the Airflow server. |
Secured connection (HTTPS) |
Determines whether a secure connection to the Airflow server is established. Valid Values:
|
Enabling Remote REST API Access
This procedure describes how to configure the Standalone Airflow Server to accept REST API requests that are required by Control-M for Airflow.
Begin
-
Log in to your Airflow server account.
-
Open airflow.cfg and modify.
-
Verify that the Airflow property auth_backend (auth_backends from version 2.3.0) has a value of airflow.api.auth.backend.basic_auth.
-
Restart the Airflow server.
Importing a Standalone Airflow Server Certificate to Support HTTPS Connection
This procedure describes how to import a standalone Airflow Server certificate in the apcerts file for the plug-in (trusted certificates store) for supporting HTTPS connection.
Begin
-
Download the certificate from the Airflow server.
-
Import the certificate file to the Control-M for Airflow JRE truststore, by running the following command:
-
Windows:<JRE>\bin\keytool -import -keystore <AG>\cm\AFL\data\security\apcerts -file <certificate file> -storepass <password, default is appass>
-
Linux:<JRE>/bin/keytool -import -keystore <AG>/cm/AFL/data/security/apcerts -file <certificate file> -storepass <password, default is appass>
/home/agent/my_java/bin/keytool -import -keystore /home/agent/cm/AFL/data/security/apcerts -file airflow.cer -storepass appass
-
-
Restart the Agent.
Apache Airflow Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see Control-M for Apache Airflow.
The following table describes the Apache Airflow connection profile parameters.
Parameter |
Description |
---|---|
Airflow URL |
Defines the Apache authentication endpoint for Airflow. https://localhost |
Username |
Defines the username that is used to log in to the Airflow server. |
Password |
Defines the password to log in to the Airflow server. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to Apache Airflow before a timeout occurs. Default: 60 seconds |
Apache NiFi Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see Control-M for Apache NiFi.
The following table describes the Apache NiFi connection profile parameters.
Parameter |
Description |
---|---|
NiFi URL |
Defines the Apache authentication endpoint for NiFi. https://localhost |
Port |
Defines the port number of the Apache NiFi server. |
Username |
Defines the Apache NiFi server username. |
Password |
Defines the Apache NiFi server password. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to Apache NiFi before a timeout occurs. Default: 50 seconds |
Astronomer Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see Control-M for Astronomer.
The following table describes the Astronomer connection profile parameters.
Parameter |
Description |
---|---|
Deployment URL |
Defines the Astronomer deployment endpoint URL in the Airflow environment. https://clybeh1ok01ke01k6wr9szi10.astronomer.run/dns2rtpk |
Bearer Token |
Defines a security token to authenticate API requests to Astronomer, which allows access to protected resources. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to Astronomer before a timeout occurs. Default: 30 seconds |
AWS MWAA Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see Control-M for AWS MWAA.
The following table describes the AWS MWAA connection profile parameters.
Parameter | Description |
---|---|
AWS MWAA URL |
Determines the authentication endpoint for AWS MWAA, based on the following format: https://states.eu-east-1.amazonaws.com |
AWS Region |
Determines the region where the AWS MWAA jobs are located. us-east-1 |
Authentication |
Determines one of the following authentication methods:
|
AWS Access Key |
Defines the access key assigned to the account in the AWS MWAA integration setup. |
AWS Secret |
Defines the secret access key assigned to the account in the AWS MWAA integration setup. |
IAM Role |
Defines the Identity and Access Management (IAM) role name for the AWS MWAA connection. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to AWS MWAA before a timeout occurs. Default: 60 |
AWS Step Functions Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see Control-M for AWS Step Functions.
The following table describes the AWS Step Functions connection profile parameters.
Parameter | Description |
---|---|
Step Functions URL |
Determines the authentication endpoint for AWS Step Functions, based on the following format: https://states.eu-east-1.amazonaws.com |
AWS Region |
Determines the region where the AWS Step Functions jobs are located. us-east-1 |
Authentication |
Determines one of the following authentication methods:
AWS IAM Role is currently not supported for this plug-in on ECS container instances and for EKS services. |
AWS Access Key |
Defines the access key assigned to the account in the AWS Step Functions integration setup. |
AWS Secret |
Defines the secret access key assigned to the account in the AWS Step Functions integration setup. |
IAM Role |
Defines the Identity and Access Management (IAM) role name for the AWS Step Functions connection. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to AWS Step Functions before a timeout occurs. Default: 20 |
Azure Logic Apps Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see
The following table describes the Azure Logic Apps connection profile parameters.
Parameter |
Description |
---|---|
Subscription ID |
Defines the Azure account subscription ID, which is located in the Azure portal. |
Authentication Method |
Determines one of the following authentication methods to connect to Azure Logic Apps:
|
Specify Managed Identity Client ID |
(Managed Identity) Determines whether the client ID for the managed identity is specified by the Managed Identity Client ID parameter. |
Managed Identity Client ID |
(Managed Identity) Determines which client ID to use as the managed identity. You only need to complete this field if your Azure virtual machine has multiple managed identities and you have selected the Specify Managed Identity Client ID checkbox. If you only have one ID, it is detected automatically. |
Resource Group |
Determines the resource group where your logic app is located. |
Tenant ID |
(Service Principal) Defines the tenant ID. |
Application ID |
(Service Principal) Defines the application ID of the registered application. The service principal must be an Azure Logic Apps workspace user with a Contributor or Owner role. |
Client Secret |
(Service Principal) Defines the password associated with the Azure user and the application. |
Azure Login URL |
(Service Principal) Determines the Azure AD authentication endpoint base URL. https://login.microsoftonline.com |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to Azure Logic Apps before a timeout occurs. Default: 50 |
GCP Composer Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see Control-M for GCP Composer.
The following table describes GCP Composer connection profile parameters.
Parameter |
Description |
---|---|
GCP Composer URL |
Defines the GCP authentication endpoint for GCP Composer. https://c2b6dd3a789740c087b09992a7df889d-example.composer.googleusercontent.com |
Identity Type |
Determines one of the following authentication types using GCP Access Control:
|
Service Account Key |
(Service Account) Defines a service account that is associated with an RSA key pair. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to GCP Composer before a timeout occurs. Default: 30 |
GCP Workflows Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see
The following table describes GCP Workflows connection profile parameters.
Parameter |
Description |
---|---|
Identity Type |
Determines one of the following authentication types using GCP Access Control:
|
GCP API URL |
(Service Account) Defines the Google Cloud Platform (GCP) authentication endpoint for GCP Workflows. https://workflowexecutions.googleapis.com |
Service Account Key |
(Service Account) Defines a service account that is associated with an RSA key pair. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to GCP Workflows before a timeout occurs. Default: 20 |