topic RE: CyberArk Blue Prism Integration - Certificates in Digital Exchange

CyberArk Blue Prism Integration - Certificates

hlucil.jiri — Tue, 22 Jun 2021 05:16:00 GMT

Dear community,

my query relates to the CyberArk Blue Prism Integration solution that is published on the BP Digital Exchange website:

https://digitalexchange.blueprism.com/dx/entry/10326/solution/blue-prism-cyberark-integration

The integration is primarily designed to authenticate BP client using a client certificate. A Client Certificate will need to be distributed to each Blue Prism Runtime Resource machine.

Is it to be a single certificate, a certificate with the same serial number, that will be distributed in this way? Is it better to store it in the current users' certificate store or the local machine certificate store?

Does anyone have any practical experience with this?
Thank you

Jiri

------------------------------
Jiri Hlucil
Blue Prism Developer
Sberbank CZ, a. s.
Europe/Prague
------------------------------

RE: CyberArk Blue Prism Integration - Certificates

charliekovacs — Tue, 22 Jun 2021 15:37:00 GMT

Hi Jiri,

In my experience with CyberArk, each Digital Worker would have its own unique client certificate (stored in the User Certificate store). In that way, it is clear to CyberArk which Digital Worker it is communicating with.

------------------------------
Charles Kovacs
Developer Consultant
Blue Prism
America/Chicago
------------------------------

RE: CyberArk Blue Prism Integration - Certificates

hlucil.jiri — Wed, 23 Jun 2021 06:35:00 GMT

Hi Charles,

thank you for your reply.
What you write sounds logical. It will be a suitable solution for our environment where we have a Digital Worker fixed to each BP runtime resource.

However, the CyberArk Blue Prism Integration solution that is published on the BP Digital Exchange website assumes a single certificate definition in the process layer based on the thumbprint. Can multiple personal certificates have the same thumbprint? I confess that I don't know much about digital certificates.

Jiri

JH

------------------------------
Jiri Hlucil
Blue Prism Developer
Sberbank CZ, a. s.
Europe/Prague
------------------------------

RE: CyberArk Blue Prism Integration - Certificates

charliekovacs — Wed, 23 Jun 2021 15:48:00 GMT

The thumbprint will be unique to each certificate, so no two certificates should have the same thumbprint.

That process in the CyberArk integration is more of an example rather than a production-ready process. With multiple Digital Workers at play, each with their own unique certificate, you can use that example process as a springboard, but you will want to re-work it so that it can dynamically select the right thumbprint for the Digital Worker who runs the process. Off the top of my head, this might be some sort of lookup table that matches the Digital Worker's computer name to the right certificate thumbprint.

Have you worked with the Login Agent before? I ask because the Login Agent VBO has a clever way of using BP's Credential manager and an environment variable to dynamically retrieve a password for a Digital Worker. You could apply this same logic to the CyberArk certificate thumbprint retrieval. Just food for thought, but this would be my approach for a CyberArk production environment.

https://bpdocs.blueprism.com/bp-7-0/en-us/Guides/login-agent/advanced-installation-configuration.htm#Setting

Cheers

------------------------------
Charles Kovacs
Developer Consultant
Blue Prism
America/Chicago
------------------------------