SSH certificate adaptable issuance flows

SSH certificate issuance flows utilize the CyberArk Adaptable Framework to allow you to validate SSH certificate issuance requests with external solutions. This feature allows you to have significant control over the issuance of SSH certificates allowing you to, for example, do the following:

  • Ensure SSH host certificates are not issued for a server not managed by the company.

  • Modify certificate attribute values depending on the request. (For example, you can validate the FQDN through reverse DNS lookup of the requesting IP, rather than trusting the information provided by the requestor.)

  • Create restrictions on when users can request SSH certificates. Requests made during off hours can be rejected. Incidents can be logged in your ITSM tool.

Issuance flows allow you to define custom logic to be executed prior to certificate issuance. The custom logic is written in Windows PowerShell, and stored on the Trust Protection Foundation server. Administrators can remote to the Trust Protection Foundation server to modify PowerShell scripts as needed. By defining separate PowerShell scripts for different issuance flows, you have the flexibility to cover multiple use cases including:

  • Component Management database (CMDB) validation

  • Attribute modification

  • IT Service Management (ITSM) integration

SSH certificate issuance flows allow you to integrate with a wide-variety of third-party solutions, allowing you to integrate SSH Manager for Machines into your existing ecosystem.

SSH certificate issuance flows general process overview

When working with SSH certificate issuance flows, you will follow the following process:

  1. Perform issuance flows prerequisites. This includes installing PowerShell, updating .NET, creating a username credential to connect to the third party application, and creating an API application integration (if accessing the Web SDK).

  2. Edit the PowerShell script. This is where you configure custom attributes, and create the logic of the integration between your third-party application and CyberArk SSH Manager for Machines.

  3. Configure the Adaptable Flow action. Using the Policy Tree, you will create (or edit) the Adaptable Flow action, where you configure the settings used to make the flow work.

What's next? Review issuance flow prerequisites

Now that you have been introduced to SSH issuance flows, you're ready to review the issuance flow prerequisites. See Adaptable Flow prerequisites.