Hey Joe, Great video as usual! I know the problem you were having at the end, you were using thumbprint on your cert and that is not your SN, your cert has a SN on it already and that was your issue. When I started watching this video I instantly picked up that you were using thumbprint and i thought that was new since I always knew it was SN and not thumbprint. I thought it might work as you were going through your tutorial but at the end you had problems as I suspected you would. I went back on your video to see your cert and it matched your SN that you had put into your AppID. Also if your CCP server is part of the same domain that your cert is signed from you do not need to install the certificate at all on your CCP server. Great stuff!
Hi, in an organisation don't we have one single domain where our ccp and application server are joined.(usually). So we don't have to install certificate on ccp serve in that case? One more question, while exporting the client certificate do we need private key as well?
Thanks for this video. Have some security concerns on having private key stored locally. I will explore to have them shortlived or stored in venafi or secrets manager
Awesome one Joe, I am a PKI guy but new in CyberArk, looking forward to more with CyberArk RSET API from scratch like setting the all env. variable from CyberArk
Hi Joe, amazing video. Just one question. If we use client certificate authentication, does the certificate private key have to be present locally on the Linux machine in order to execute the curl command to make a web service call ? I believe without the key the authentication will simply fail due to no ssl handshake ? Earlier I thought just the cert serial number is needed for application in pvwa but after more digging I now think key has to be available locally on the Linux machine making Rest call to AIMWebservice. Is my understanding correct ?
@@infamousjoeg Thanks Joe. Isn't it insecure to have private key in pem format ? Can we use p12 format in curl command when authenticating to ccp ? I am sure lot of organisations won't prefer key file in pem format which is essentially a text format.
@@AbhishekSingh-sr5uz The private key should have file permissions that only allow root to use it. It’s not as secure as fetching via CCP, but it’s better than not setting least privilege file permissions. Another way to increase the security is by making these short-lived certificates using Venafi or another solution to manage them as a service. Regardless, you can send them in a p12 bundle using curl: curl --cert-type P12 --cert cert.p12:password …
Thanks a lot Joe. A year on and this still helped me. Only comment is that you should have put the serial Number of the certificate on CyberArk and not the thumbprint. 👏👏
Great video !! Seems like having certs for each application can become a workload for maintenance as you would own them. Renew cert, send new cert to application using the CCP offering, updating the SN on the application in CyberArk, restarting services, removing old cert from CCP server(s) installing new. Any suggestions to help with this?
Hi Joe, it is a very good video for the cert authentication method. But one question here, the user may run on multiple machines and may vary the cert thumbprint/serial number in each machine. In this use case, how to configure multiple thumbprint numbers in CCP and IIS to enable user cert authentication method.
You would follow the same process for every certificate and then add the additional thumbprints as Certificate Serial Numbers on the Application ID inside CyberArk PVWA.
Hey Joe, excellent video! A couple questions, you insinuated OS User and certificate authentication can be leveraged simultaneously, can you confirm that? I was under the impression they couldn't be used together on the same application. Additionally, my current biggest issue with CCP is it does not seem to be possible to leverage a load balancer, allowed machines, and certificate authentication at the same time. Do you have any suggestions on that?
we got it working on single machines before watching this video, though this video is excellent in explaining. my issue is working with load balancer. i have installed a new client cert on ccp srv 1 and then exported to ccp srv 2. also configured rule via IIS > Configuration editor, the Same cert is used in postman call, but i am getting "appap330e", "Failed to verify application authentication data: could not obtain client certification details". Direct request to each ccp server works fine.
You can define the load balancer as a Transparent Proxy to preserve the source IP of the originator. It will avoid using x-forward-for. This way the load balancer does not modify the packet and the Central Credential Provider is not aware that the load balancer is managing the network traffic. Client Certificate and Source IP authentication restrictions will only work when setting up the load balancer for full transparent passthrough and to also ensure the client IP is being preserved through the load balancer (referred to as ensuring SNAT is disabled and passthrough is enabled on an F5 load balancer).
@crhpjeff is correct. Also, some load balancers support "Client Certificate Passthrough" which can be enabled to prevent the certificate's termination at the load balancer... which is why you're receiving the APPAP330E error.
Hi Joe, Great Video! I have a question. Is it possible to have several certificate authorities configured in the IIS to accept different certificates? A Microsoft CA and DIGICERT CA for example, so depending on whether it is a microsoft certificate and another app uses a digicert certificate it will not have problems in the validation. Regards
Yeah, this is absolutely possible. Check out the "Trusted Third Party Root CA" certificates that are pre-loaded in your Certificates module snap-in to see everything that's already trusted out of the box.
Hi Joe, great content per usual. I am in the process of setting a few apps up with Client auth, currently getting "APPAP330E Failed to verify application authentication data: Could not obtain client certificate details." I have verified the application/safe in the PVWA with customer support, everything seems fine. We have gone over the cert as well as IIS settings with no resolution in sight. I am wondering if you have seen this error and have an idea of what I should be checking? There is a doc from CyberArk for the above error, but none of the suggestions resolved our issue. Any help would be greatly appreciated.
Yes, I've seen that error before. That is an error returned when the CCP cannot decrypt the certificate sent in the API request. The API request to the CCP should include the certificate AND the key so that the CCP can decrypt and read the details of the certificate to do Certificate Serial Number authentication.
Hi Joe. Great video. One thing that´s still somewhat unclear to me is why the CCP server needs the private key for the client certificate. When including the private key in the API request, I thought it only used that for encrypting a signature. Also, do we need to actually install the client certificate in the certificate store on the CCP servers, when the whole chain is already present ?
Hey there, great questions! You're correct in that the private key is only used for encrypting the signature. This was something I learned after recording this video and documented in an explanation (so I don't forget!) that you can find here: gist.github.com/infamousjoeg/d745d97de62c3086fffabc2ff2d0998f. As for why the certificate needs to be installed on the CCP server... technically, it doesn't need to be unless you want to configure the Client Certificate Mapping that I did at the IIS level. If you'd prefer, you can completely ignore that portion of the video, not install the client certificate on the CCP server, and just use CyberArk to validate the thumbprint (Certificate Serial Number) and/or attributes (documented here: docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Add%20Authentication.htm#certattrauthn).
That's very odd. I would reach out to our Support and submit a support ticket to have that looked into. www.cyberark.com/services-support/technical-support/
You need to be sure to include both the client certificate and key in the API request to the CCP web service. Missing any of those will result in that error being returned.
Joe - Thanks for the video, was very insightful. Quick question - What is the recommended best practice - Have a single CA issued cert and use it across all applications or use a separate cert for each application ?
@@infamousjoeg Thanks for the suggestions. Had yet another question. Followed through the steps to configure IIS for client cert auth and the AIM webservice in our IIS is set to use the "Accept" option for client certificates in order to have hybrid environment to start with. Following that, i am running into a strange issue when i attempted to test the CCP without client auth. Calls to CCP from Postman or a browser window or powershell works fine without client cert but fails from an autoit script that we have coded to call the CCP. (all using the same parameters). It fails with the error "a certificate is required to complete authentication". I am at loss to understand why the call from autoit alone with fail. Reverting back to the "ignore" option in SSL settings for client certificate in PVWA for the aim webservice allows the CCP call from autoit to go through. Any clues?
@@tsramkumar My guess is that you have the Certificate stored in the local cert store on Windows and PowerShell + Browser is able to use it. However, AutoIt isn't capable of doing that and that's causing the issue.
@@infamousjoeg Figured it out. I had to set the option to indicate no client certs will be presented on the API call to CCP in Autoit. Thanks for the prompt response
I do have a question here, will I be able to utilize the pvwa cert to setup the issuer? Or do I need a separate cert for it to work? I’m assuming you used a separate cert to just show how other applications will be authenticating at the end.
The PVWA certificate you are referring to is not configured for Client Authentication. You would need to create a new certificate for either the User or Computer that has Client Authentication configured on it.
Great Video🙏🏻 Huge Respect. Could you please make one more detailed and easy to understand video like this on Credential Provider as you made for CCP? Is it necessary to have CP before CCP? Please consider details of WHO,WHY,WHERE,WHEN CP and CCP are needed and to use? Please🙏🏻
hi Joe, I followed your exact steps but it does not seem to work for me meaning that the AIMWebservice does not seem to enforce client authentication at all. Doing a wireshark capture, it seems the server is not sending Certificate Request message after the SSL client hello. I am able to retrieve the credentials from the vault but without any enforcement. Running Windows Server 2012 with Cyberark 12.6 environment. Do you have any idea what the issue might be?
Make sure that the SSL Settings for "Client Certificate" for the website in IIS is set to "Require" if you want it enforced. My guess is you set SSL to "Require" but "Client Certificates" is still set to "Ignore".
Hi Joe, i figured out what is happening by decrypting the SSL traffic. It seems Cyberark does not send Certificate Request during the initial handshake. After the GET request from the client, CyberArk returns Hello Request for a new Handshake negotiation. During that new handshake, it requests the Certificate using a certificate request.
So, it was actually working, but my assumption was that the server (IIS webservice in this case) needs to send Certificate Request during the initial handshake. It seems it's not the case, maybe for security reasons (as consequent handshakes are already encrypted so the client certificate will also be encrypted)
Out of interest I changed the issuer text to something different than the CN on the certificate for the IIS security config...to see if it does actually block access. It still retrieves the credential (via Postman)? What am I doing wrong? Or does this not actually work and prevent access (via AIMWebService) if the certificate has a different CN value?
You would need to also update the SSL Settings in IIS on the AIMWebService website to "Accept" instead of "Ignore". It may be that you're ignoring the certificate there in IIS and it's passing through to us without any actual certificate mapping occuring there.
@@infamousjoeg Thanks for the reply. It is set to "Accept". Maybe it is because the credential has been previously cached? It would be good if someone else could try it and confirm it works for them (and blocks access) and post the error returned here.
@Joe Garcia Is the step to enable iisclientcertificateauthenticationmapping absolutely required? I looked back at my config and the CCP client cert authentication works without that. Not sure how it would. Also, i tried to invoke CCP using a client cert that was not loaded in the certificate store in the PVWA hosting the AIMWebservice. It only had the root CA. The only time it failed was when i did not send a cert or the serial number defined for the app in PVWA didn't match what i sent. Any thoughts?
Hey Joe, great video! Here are a few questions I have: 1) You mentioned the documentation is missing a step which is to configure the IIS Client Certificate mapping. In my experience, if the CCP is joined to the Domain and the Domain Controllers are using the same CA that was used to issue the client certificate then the CCP can validate the certificate without additional configuration. So should we focus on that additional configuration, not in the documentation, you mentioned when dealing with client certificates not trusted by the CCP by default or for further security to allow IIS to accept certain certs? 2) I have had troubles still not getting the latest configuration from my CCP or CPs when restarting the service. I was told this was because the interval still plays a part even restarting the CP service to prevent it from reaching the Vault after each restart or credential retrieval causing a potential DOS of the Vault if too many CPs perform the task at once. I was instructed to Clear the CP Cache and then restart the service so we ensure the latest configuration is retrieved. Is that accurate? 3) Do you have any good resources/examples within CyberArk on how to send Client Certificate request via RestAPI and SOAP in both Linux and Windows environments? 4) Does CyberArk have a list of items in the documentation stating the limitations of using a Load-Balancer with the CCPs?
1. I would follow it for further security. If you are not experiencing trust issues and are fine with any trusted issuer making it to the AIMWebService in IIS, there is no need to configure it. 2. I would follow the advice of CyberArk Support. In my lab, I do not run with an AIM Cache since I'm just doing testing, so I cannot speak to that experience as informed as our Support. 3. I have examples for C++, Python, and Kotlin (Java). You can find them at cybr.rocks/greatesthits. 4. As far as official documentation goes, this is what we have: docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CCP/Load-Balancing-the-Central-Credential-Provider.htm. There is more specific information on the Technical Community that can be searched. Here is an example of a Knowledge Base artcile that documents load-balancing CCP using F5: cyberark-customers.force.com/s/article/How-to-configure-CCP-Load-Balancing-with-an-F5-load-balancer-using-a-SNAT-Proxy.
@@infamousjoeg In my limited experience the trip hazard for this is all around the IIS config and the cert usages and chain, this is I think where the detail should be as it's where the problems will be experienced on site 1) When people change IIS for CCP to accept certs you suddenly learn that other clients are sending certs in their requests and some of those may not be valid/trusted (in our expectation) and it "breaks" CCP for them. I think people need a warning there 2) I'd expect the cert used for clients' CCP requests to chain up to corporate root and the CCP server (probably PVWA) to already have the chain so I would hope people *Shouldn't* need to copy over the public part cert onto the CCP server certificate store, that might even be bad practice 3) Getting the cert usage correct on the client to include client authentication always seems to surprise people for whatever reason? So I think more explicit warning should given to that too. Great video though, thanks!
Excellent video Joe! People will be really happy to have this walkthrough
Glad you think so!
Hey Joe, Great video as usual! I know the problem you were having at the end, you were using thumbprint on your cert and that is not your SN, your cert has a SN on it already and that was your issue. When I started watching this video I instantly picked up that you were using thumbprint and i thought that was new since I always knew it was SN and not thumbprint. I thought it might work as you were going through your tutorial but at the end you had problems as I suspected you would. I went back on your video to see your cert and it matched your SN that you had put into your AppID. Also if your CCP server is part of the same domain that your cert is signed from you do not need to install the certificate at all on your CCP server. Great stuff!
Hi, in an organisation don't we have one single domain where our ccp and application server are joined.(usually). So we don't have to install certificate on ccp serve in that case?
One more question, while exporting the client certificate do we need private key as well?
Thanks for this video. Have some security concerns on having private key stored locally. I will explore to have them shortlived or stored in venafi or secrets manager
Those are both great options! Another alternative would be an HSM or cloud KMS.
Joe, thanks a lot for this one! As usual, great content coming from you! Congrats!
You are the best instructor Joe!!!!!!!!!
Thanks Joe. Super useful video for the great walkthrough end to end!!
Still I have not seen completely. But thanks for sharing. I was searching doc's from 3 months. Now I got video only.
Great video Joe! You deserve a lot attention 😊
Great video and very helpful. Thanks for all the efforts and help
Awesome one Joe, I am a PKI guy but new in CyberArk, looking forward to more with CyberArk RSET API from scratch like setting the all env. variable from CyberArk
It's very good video, Mr. Joe. Thank you!
Hi Joe, amazing video. Just one question. If we use client certificate authentication, does the certificate private key have to be present locally on the Linux machine in order to execute the curl command to make a web service call ? I believe without the key the authentication will simply fail due to no ssl handshake ?
Earlier I thought just the cert serial number is needed for application in pvwa but after more digging I now think key has to be available locally on the Linux machine making Rest call to AIMWebservice. Is my understanding correct ?
Yes, both the private key and public certificate must be sent with the request to the API endpoint for proper client certificate authentication.
@@infamousjoeg Thanks Joe. Isn't it insecure to have private key in pem format ? Can we use p12 format in curl command when authenticating to ccp ? I am sure lot of organisations won't prefer key file in pem format which is essentially a text format.
@@AbhishekSingh-sr5uz The private key should have file permissions that only allow root to use it. It’s not as secure as fetching via CCP, but it’s better than not setting least privilege file permissions. Another way to increase the security is by making these short-lived certificates using Venafi or another solution to manage them as a service.
Regardless, you can send them in a p12 bundle using curl:
curl --cert-type P12 --cert cert.p12:password …
Thanks a lot Joe. A year on and this still helped me. Only comment is that you should have put the serial Number of the certificate on CyberArk and not the thumbprint. 👏👏
thank you for this, wish you more success.
Thanks Joe!
great content per usual!!
Brilliant...👍🙂
Great Video Joe !!!
Great video !! Seems like having certs for each application can become a workload for maintenance as you would own them. Renew cert, send new cert to application using the CCP offering, updating the SN on the application in CyberArk, restarting services, removing old cert from CCP server(s) installing new. Any suggestions to help with this?
Hi Joe, it is a very good video for the cert authentication method. But one question here, the user may run on multiple machines and may vary the cert thumbprint/serial number in each machine. In this use case, how to configure multiple thumbprint numbers in CCP and IIS to enable user cert authentication method.
You would follow the same process for every certificate and then add the additional thumbprints as Certificate Serial Numbers on the Application ID inside CyberArk PVWA.
@@infamousjoeg Thank you Joe
Hey Joe, excellent video!
A couple questions, you insinuated OS User and certificate authentication can be leveraged simultaneously, can you confirm that? I was under the impression they couldn't be used together on the same application.
Additionally, my current biggest issue with CCP is it does not seem to be possible to leverage a load balancer, allowed machines, and certificate authentication at the same time. Do you have any suggestions on that?
Same here, will be testing with load balancer today
we got it working on single machines before watching this video, though this video is excellent in explaining. my issue is working with load balancer. i have installed a new client cert on ccp srv 1 and then exported to ccp srv 2. also configured rule via IIS > Configuration editor, the Same cert is used in postman call, but i am getting "appap330e", "Failed to verify application authentication data: could not obtain client certification details". Direct request to each ccp server works fine.
You can define the load balancer as a Transparent Proxy to preserve the source IP of the originator. It will avoid using x-forward-for. This way the load balancer does not modify the packet and the Central Credential Provider is not aware that the load balancer is managing the network traffic. Client Certificate and Source IP authentication restrictions will only work when setting up the load balancer for full transparent passthrough and to also ensure the client IP is being preserved through the load balancer (referred to as ensuring SNAT is disabled and passthrough is enabled on an F5 load balancer).
@@NazirAhmed see my other comment
@crhpjeff is correct. Also, some load balancers support "Client Certificate Passthrough" which can be enabled to prevent the certificate's termination at the load balancer... which is why you're receiving the APPAP330E error.
Hi Joe, Great Video! I have a question. Is it possible to have several certificate authorities configured in the IIS to accept different certificates? A Microsoft CA and DIGICERT CA for example, so depending on whether it is a microsoft certificate and another app uses a digicert certificate it will not have problems in the validation. Regards
Yeah, this is absolutely possible. Check out the "Trusted Third Party Root CA" certificates that are pre-loaded in your Certificates module snap-in to see everything that's already trusted out of the box.
Hi Joe, great content per usual. I am in the process of setting a few apps up with Client auth, currently getting "APPAP330E Failed to verify application authentication data: Could not obtain client certificate details." I have verified the application/safe in the PVWA with customer support, everything seems fine. We have gone over the cert as well as IIS settings with no resolution in sight. I am wondering if you have seen this error and have an idea of what I should be checking? There is a doc from CyberArk for the above error, but none of the suggestions resolved our issue. Any help would be greatly appreciated.
Yes, I've seen that error before. That is an error returned when the CCP cannot decrypt the certificate sent in the API request. The API request to the CCP should include the certificate AND the key so that the CCP can decrypt and read the details of the certificate to do Certificate Serial Number authentication.
Hi Joe. Great video. One thing that´s still somewhat unclear to me is why the CCP server needs the private key for the client certificate. When including the private key in the API request, I thought it only used that for encrypting a signature. Also, do we need to actually install the client certificate in the certificate store on the CCP servers, when the whole chain is already present ?
Hey there, great questions! You're correct in that the private key is only used for encrypting the signature. This was something I learned after recording this video and documented in an explanation (so I don't forget!) that you can find here: gist.github.com/infamousjoeg/d745d97de62c3086fffabc2ff2d0998f. As for why the certificate needs to be installed on the CCP server... technically, it doesn't need to be unless you want to configure the Client Certificate Mapping that I did at the IIS level. If you'd prefer, you can completely ignore that portion of the video, not install the client certificate on the CCP server, and just use CyberArk to validate the thumbprint (Certificate Serial Number) and/or attributes (documented here: docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Add%20Authentication.htm#certattrauthn).
What if the "add certificate serial number" is missing from the drop down for the add button in the interface?
That's very odd. I would reach out to our Support and submit a support ticket to have that looked into. www.cyberark.com/services-support/technical-support/
Can you show how we could configure an IIS virtual directory to fetch it's credential from CCP instead of hard coding it in IIS?
great video! I am still getting Failed to verify application authentication data: could not obtain client certificate details
You need to be sure to include both the client certificate and key in the API request to the CCP web service. Missing any of those will result in that error being returned.
how can i check my certificate autentication password i for got
Joe - Thanks for the video, was very insightful.
Quick question - What is the recommended best practice - Have a single CA issued cert and use it across all applications or use a separate cert for each application ?
The recommended best practice is a certificate per application.
@@infamousjoeg Thanks for the suggestions.
Had yet another question. Followed through the steps to configure IIS for client cert auth and the AIM webservice in our IIS is set to use the "Accept" option for client certificates in order to have hybrid environment to start with. Following that, i am running into a strange issue when i attempted to test the CCP without client auth.
Calls to CCP from Postman or a browser window or powershell works fine without client cert but fails from an autoit script that we have coded to call the CCP. (all using the same parameters). It fails with the error "a certificate is required to complete authentication". I am at loss to understand why the call from autoit alone with fail. Reverting back to the "ignore" option in SSL settings for client certificate in PVWA for the aim webservice allows the CCP call from autoit to go through.
Any clues?
@@tsramkumar My guess is that you have the Certificate stored in the local cert store on Windows and PowerShell + Browser is able to use it. However, AutoIt isn't capable of doing that and that's causing the issue.
@@infamousjoeg Figured it out. I had to set the option to indicate no client certs will be presented on the API call to CCP in Autoit. Thanks for the prompt response
Awesome video
What happens if we have CCP installed on PVWA?
That is the setup in the video.
I do have a question here, will I be able to utilize the pvwa cert to setup the issuer? Or do I need a separate cert for it to work? I’m assuming you used a separate cert to just show how other applications will be authenticating at the end.
The PVWA certificate you are referring to is not configured for Client Authentication. You would need to create a new certificate for either the User or Computer that has Client Authentication configured on it.
Great Video🙏🏻 Huge Respect. Could you please make one more detailed and easy to understand video like this on Credential Provider as you made for CCP? Is it necessary to have CP before CCP? Please consider details of WHO,WHY,WHERE,WHEN CP and CCP are needed and to use? Please🙏🏻
hi Joe, I followed your exact steps but it does not seem to work for me meaning that the AIMWebservice does not seem to enforce client authentication at all.
Doing a wireshark capture, it seems the server is not sending Certificate Request message after the SSL client hello. I am able to retrieve the credentials from the vault but without any enforcement.
Running Windows Server 2012 with Cyberark 12.6 environment. Do you have any idea what the issue might be?
Make sure that the SSL Settings for "Client Certificate" for the website in IIS is set to "Require" if you want it enforced. My guess is you set SSL to "Require" but "Client Certificates" is still set to "Ignore".
Hi Joe, i figured out what is happening by decrypting the SSL traffic. It seems Cyberark does not send Certificate Request during the initial handshake. After the GET request from the client, CyberArk returns Hello Request for a new Handshake negotiation. During that new handshake, it requests the Certificate using a certificate request.
So, it was actually working, but my assumption was that the server (IIS webservice in this case) needs to send Certificate Request during the initial handshake. It seems it's not the case, maybe for security reasons (as consequent handshakes are already encrypted so the client certificate will also be encrypted)
Out of interest I changed the issuer text to something different than the CN on the certificate for the IIS security config...to see if it does actually block access. It still retrieves the credential (via Postman)? What am I doing wrong? Or does this not actually work and prevent access (via AIMWebService) if the certificate has a different CN value?
You would need to also update the SSL Settings in IIS on the AIMWebService website to "Accept" instead of "Ignore". It may be that you're ignoring the certificate there in IIS and it's passing through to us without any actual certificate mapping occuring there.
@@infamousjoeg Thanks for the reply. It is set to "Accept". Maybe it is because the credential has been previously cached? It would be good if someone else could try it and confirm it works for them (and blocks access) and post the error returned here.
@Joe Garcia
Is the step to enable iisclientcertificateauthenticationmapping absolutely required? I looked back at my config and the CCP client cert authentication works without that. Not sure how it would.
Also, i tried to invoke CCP using a client cert that was not loaded in the certificate store in the PVWA hosting the AIMWebservice. It only had the root CA.
The only time it failed was when i did not send a cert or the serial number defined for the app in PVWA didn't match what i sent.
Any thoughts?
👍👍
Hey Joe, great video! Here are a few questions I have:
1) You mentioned the documentation is missing a step which is to configure the IIS Client Certificate mapping. In my experience, if the CCP is joined to the Domain and the Domain Controllers are using the same CA that was used to issue the client certificate then the CCP can validate the certificate without additional configuration. So should we focus on that additional configuration, not in the documentation, you mentioned when dealing with client certificates not trusted by the CCP by default or for further security to allow IIS to accept certain certs?
2) I have had troubles still not getting the latest configuration from my CCP or CPs when restarting the service. I was told this was because the interval still plays a part even restarting the CP service to prevent it from reaching the Vault after each restart or credential retrieval causing a potential DOS of the Vault if too many CPs perform the task at once. I was instructed to Clear the CP Cache and then restart the service so we ensure the latest configuration is retrieved. Is that accurate?
3) Do you have any good resources/examples within CyberArk on how to send Client Certificate request via RestAPI and SOAP in both Linux and Windows environments?
4) Does CyberArk have a list of items in the documentation stating the limitations of using a Load-Balancer with the CCPs?
1. I would follow it for further security. If you are not experiencing trust issues and are fine with any trusted issuer making it to the AIMWebService in IIS, there is no need to configure it.
2. I would follow the advice of CyberArk Support. In my lab, I do not run with an AIM Cache since I'm just doing testing, so I cannot speak to that experience as informed as our Support.
3. I have examples for C++, Python, and Kotlin (Java). You can find them at cybr.rocks/greatesthits.
4. As far as official documentation goes, this is what we have: docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CCP/Load-Balancing-the-Central-Credential-Provider.htm. There is more specific information on the Technical Community that can be searched. Here is an example of a Knowledge Base artcile that documents load-balancing CCP using F5: cyberark-customers.force.com/s/article/How-to-configure-CCP-Load-Balancing-with-an-F5-load-balancer-using-a-SNAT-Proxy.
@@infamousjoeg In my limited experience the trip hazard for this is all around the IIS config and the cert usages and chain, this is I think where the detail should be as it's where the problems will be experienced on site
1) When people change IIS for CCP to accept certs you suddenly learn that other clients are sending certs in their requests and some of those may not be valid/trusted (in our expectation) and it "breaks" CCP for them. I think people need a warning there
2) I'd expect the cert used for clients' CCP requests to chain up to corporate root and the CCP server (probably PVWA) to already have the chain so I would hope people *Shouldn't* need to copy over the public part cert onto the CCP server certificate store, that might even be bad practice
3) Getting the cert usage correct on the client to include client authentication always seems to surprise people for whatever reason? So I think more explicit warning should given to that too.
Great video though, thanks!