This section explains how to configure Zabbix to retrieve secrets from CyberArk Vault CV12.
The vault should be installed and configured as per the official CyberArk documentation.
To learn about configuring TLS in Zabbix, see Storage of secrets section.
Access to a secret with database credentials is configured for each Zabbix component separately.
To obtain database credentials for Zabbix server or proxy from the vault, specify the following configuration parameters in the configuration file:
Zabbix server also uses these configuration parameters (except VaultDBPath) for vault authentication when processing vault secret macros.
Zabbix server and Zabbix proxy read the vault-related configuration parameters from zabbix_server.conf and zabbix_proxy.conf upon startup.
Example
In zabbix_server.conf, specify:
Vault=CyberArk
VaultURL=https://127.0.0.1:1858
VaultDBPath=zabbix_server&Query=Safe=passwordSafe;Object=zabbix_server_database
VaultTLSCertFile=cert.pem
VaultTLSKeyFile=key.pem
Zabbix will send the following API request to the vault:
$ curl \
--header "Content type: application/json" \
--cert cert.pem \
--key key.pem \
https://127.0.0.1:1858/AIMWebService/api/Accounts?AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix_server_database
Vault response, from which the keys "Content" and "UserName" should be retrieved:
{
"Content": <password>,
"UserName": <username>,
"Address": <address>,
"Database" :<Database>,
"PasswordChangeInProcess":<PasswordChangeInProcess>
}
As a result, Zabbix will use the following credentials for database authentication:
To obtain database credentials for Zabbix frontend from the vault, specify required settings during frontend installation.
At the Configure DB Connection step, set Store credentials in parameter to CyberArk Vault.
Then, fill in additional parameters:
Parameter | Mandatory | Default value | Description |
---|---|---|---|
Vault API endpoint | yes | https://localhost:1858 | Specify the URL for connecting to the vault in the format scheme://host:port |
Vault secret query string | yes | A query, which specifies from where database credentials should be retrieved. Example: AppID=foo&Query=Safe=bar;Object=buzz:key |
|
Vault certificates | no | After marking the checkbox, additional parameters will appear allowing to configure client authentication. While this parameter is optional, it is highly recommended to enable it for communication with the CyberArk Vault. |
|
SSL certificate file | no | conf/certs/cyberark-cert.pem | Path to SSL certificate file. The file must be in PEM format. If the certificate file contains also the private key, leave the SSL key file parameter empty. |
SSL key file | no | conf/certs/cyberark-key.pem | Name of the SSL private key file used for client authentication. The file must be in PEM format. |
To use CyberArk Vault for storing Vault secret user macro values:
The macro value should contain a query (as query:key
).
See Vault secret macros for detailed information about macro value processing by Zabbix.
The colon symbol (:
) is reserved for separating the query from the key. If a query itself contains a forward slash or a colon, these symbols should be URL-encoded (/
is encoded as %2F
, :
is encoded as %3A
).
Example
In Zabbix: add user macro {$PASSWORD} with type Vault secret and value: AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix:Content
Zabbix will send API request to the vault:
$ curl \
--header "Content type: application/json" \
--cert cert.pem \
--key key.pem \
https://127.0.0.1:1858/AIMWebService/api/Accounts?AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix
Vault response, from which the key "Content" should be retrieved:
{
"Content": <password>,
"UserName": <username>,
"Address": <address>,
"Database" :<Database>,
"PasswordChangeInProcess":<PasswordChangeInProcess>
}
Macro resolves to the value: <password>
To update an existing configuration for retrieving secrets from a CyberArk Vault:
Update the Zabbix server or proxy configuration file parameters as described in the Database credentials section.
Update the DB connection settings by reconfiguring Zabbix frontend and specifying the required parameters as described in the Frontend section. To reconfigure Zabbix frontend, open the frontend setup URL in the browser:
Alternatively, these parameters can be set in the frontend configuration file (zabbix.conf.php):
$DB['VAULT'] = 'CyberArk';
$DB['VAULT_URL'] = 'https://127.0.0.1:1858';
$DB['VAULT_DB_PATH'] = 'AppID=foo&Query=Safe=bar;Object=buzz';
$DB['VAULT_TOKEN'] = '';
$DB['VAULT_CERT_FILE'] = 'conf/certs/cyberark-cert.pem';
$DB['VAULT_KEY_FILE'] = 'conf/certs/cyberark-key.pem';
To update an existing configuration for retrieving secrets from a HashiCorp Vault, see HashiCorp configuration.