Does anyone have any experience implementing CyberArk password management with Pega & JBoss (7.x)? I’ve seen a few questions on here but few actual answers.
Looking at the Cyberark documentation, it does not appear that any specific configurations would be required within Pega for Cyberark integration, all the configuration is done on the AppServer.
Officially it appears that Cyberark password management is only supported on Websphere. Although, I have seen some references to it being supported (or at least used) with Tomcat as well.
I was finally able to get Cyberark password management working. The configuration of Jboss was fairly straight-forward; however, during startup Cyberark quickly ate up all the available connections and Pega was unable to start with the error:
2021-07-30 13:50:06,273 WARNING [com.pega.pegarules.internal.bootstrap.PRMiniLoader] (ServerService Thread Pool – 8) PRMiniLoader - unable to load classes from the database: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/jdbc/PegaRULES
“The use of CyberArk (a 3rd party password manager) to secure database connections resulted in an infinite loop while trying to obtain a db connection. The CyberArk client “walks” the call stack and tries to obtain the URL of each class (resource) in the call chain to verify that all jars referenced are “authorized” to obtain the password, and it is not possible to disable this logic. The loop issue happened because the Pega 7 class loaders read the database during the process of generating the URL for a class, causing another db connection to be requested and starting the validation process again. In order to provide a workaround for the lack of customization in CyberArk, the class loaders have been modified to optionally bypass reading the database when a URL is requested for a CLASS resource (all other resource types must still go to the database to check for existence). The new behavior is enabled by setting the Java system property -Dcom.pega.prminiloader.avoiddbforgetresource=true. (The flag must be a Java system property because it has to be read before any database operations are performed.)”
It’s unclear whether there are any side-effects of enabling that JVM flag but in my limited testing the server appears to be working fine.