Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CyberArk Blue Prism Integration - Certificates

Go to answer
JiriHlucil
Level 4

‎22-06-21 06:16 AM

Dear community,

my query relates to the CyberArk Blue Prism Integration solution that is published on the BP Digital Exchange website:

https://digitalexchange.blueprism.com/dx/entry/10326/solution/blue-prism-cyberark-integration

The integration  is primarily designed to authenticate BP client using a client certificate. A Client Certificate will need to be distributed to each Blue Prism Runtime Resource machine.

Is it to be a single certificate, a certificate with the same serial number, that will be distributed in this way? Is it better to store it in the current users' certificate store or the local machine certificate store?

Does anyone have any practical experience with this?
Thank you

Jiri


------------------------------
Jiri Hlucil
Blue Prism Developer
Sberbank CZ, a. s.
Europe/Prague
------------------------------
0 Likes
1 BEST ANSWER

Helpful Answers

Go to answer
charliekovacs
Staff
Staff
In response to JiriHlucil

‎23-06-21 04:48 PM

The thumbprint will be unique to each certificate, so no two certificates should have the same thumbprint.

That process in the CyberArk integration is more of an example rather than a production-ready process. With multiple Digital Workers at play, each with their own unique certificate, you can use that example process as a springboard, but you will want to re-work it so that it can dynamically select the right thumbprint for the Digital Worker who runs the process. Off the top of my head, this might be some sort of lookup table that matches the Digital Worker's computer name to the right certificate thumbprint.

Have you worked with the Login Agent before? I ask because the Login Agent VBO has a clever way of using BP's Credential manager and an environment variable to dynamically retrieve a password for a Digital Worker. You could apply this same logic to the CyberArk certificate thumbprint retrieval. Just food for thought, but this would be my approach for a CyberArk production environment.

https://bpdocs.blueprism.com/bp-7-0/en-us/Guides/login-agent/advanced-installation-configuration.htm#Setting

Cheers

------------------------------
Charles Kovacs
Developer Consultant
Blue Prism
America/Chicago
------------------------------
Charlie Kovacs

View answer in original post

0 Likes
3 REPLIES 3

Go to answer
charliekovacs
Staff
Staff

‎22-06-21 04:37 PM

Hi Jiri,

In my experience with CyberArk, each Digital Worker would have its own unique client certificate (stored in the User Certificate store). In that way, it is clear to CyberArk which Digital Worker it is communicating with.

------------------------------
Charles Kovacs
Developer Consultant
Blue Prism
America/Chicago
------------------------------
Charlie Kovacs
0 Likes

Go to answer
JiriHlucil
Level 4
In response to charliekovacs

‎23-06-21 07:35 AM

Hi Charles,

thank you for your reply.
What you write sounds logical. It will be a suitable solution for our environment where we have a Digital Worker fixed to each BP runtime resource.

However, the CyberArk Blue Prism Integration solution that is published on the BP Digital Exchange website assumes a single certificate definition in the process layer based on the thumbprint. Can multiple personal certificates have the same thumbprint? I confess that I don't know much about digital certificates.

Jiri


JH

------------------------------
Jiri Hlucil
Blue Prism Developer
Sberbank CZ, a. s.
Europe/Prague
------------------------------
0 Likes

Go to answer
charliekovacs
Staff
Staff
In response to JiriHlucil

‎23-06-21 04:48 PM

The thumbprint will be unique to each certificate, so no two certificates should have the same thumbprint.

That process in the CyberArk integration is more of an example rather than a production-ready process. With multiple Digital Workers at play, each with their own unique certificate, you can use that example process as a springboard, but you will want to re-work it so that it can dynamically select the right thumbprint for the Digital Worker who runs the process. Off the top of my head, this might be some sort of lookup table that matches the Digital Worker's computer name to the right certificate thumbprint.

Have you worked with the Login Agent before? I ask because the Login Agent VBO has a clever way of using BP's Credential manager and an environment variable to dynamically retrieve a password for a Digital Worker. You could apply this same logic to the CyberArk certificate thumbprint retrieval. Just food for thought, but this would be my approach for a CyberArk production environment.

https://bpdocs.blueprism.com/bp-7-0/en-us/Guides/login-agent/advanced-installation-configuration.htm#Setting

Cheers

------------------------------
Charles Kovacs
Developer Consultant
Blue Prism
America/Chicago
------------------------------
Charlie Kovacs
0 Likes