Cyber​​Ark PSM可用于使用Chrome或IE登录网站。我最近在处理这种要求。通常需要进行一些工作来找出登录表单的用户名,密码,单击或按钮的ID,然后为其创建一个新的连接组件。 Cyber​​Ark MarketPlace具有Office 365连接组件,可以减少许多此类工作。

这篇文章是为了记录我通过PSM工作使Office 365登录所采用的过程。

安装和配置Chrome for PSM

从MarketPlace下载Office 365连接组件

可以从中搜索和下载 Cyber​​Ark MarketPlace。 请确保阅读以下两个文档:

1KB的zip文件,其中包含xml文件。 XML文件内容:

<?xml version="1.0"?>
-<ConnectionComponent DisplayName="Office 365" Type="赛博方舟.PasswordVault.TransparentConnection.PSM.PSMConnectionComponent, 赛博方舟.PasswordVault.TransparentConnection.PSM" Id="PSM-Office-365">
<ComponentParameters/>
-<UserParameters>
<Parameter Type="赛博方舟.TransparentConnection.BooleanUserParameter, 赛博方舟.PasswordVault.TransparentConnection" EnforceInDualControlRequest="No" Required="Yes" Visible="No" Value="No" Name="AllowMappingLocalDrives"/>
</UserParameters>

-<TargetSettings ClientInvokeType="WebForm" ClientDispatcher=""{PSMComponentsFolder}CyberArk.PSM.WebAppDispatcher.exe" "{PSMComponentsFolder}"" ClientApp="铬" Protocol="HTTP">
-<ClientSpecific>
<Parameter Value="10" Name="ActionTimeout"/>
<Parameter Value="30" Name="PageLoadTimeout"/>
<Parameter Value="No" Name="RunValidations"/>
</ClientSpecific>

<LockAppWindow SearchWindowWaitTimeout="30" Timeout="2000" MainWindowClass="铬_WidgetWin_1" Enable="Yes"/>
<WebFormSettings EnforceCertificateValidation="Yes" WebFormFields="i0116>{Username}(searchby=id) idSIButton9>(Button)(searchby=id) i0118>{Password}(searchby=id) idSIButton9>(Button)(searchby=id) idBtn_Back>(Button) meInitialsButton>(Validation) notificationBellControl_container>(Validation) " SubmitButton="" FormName="login" LogonURL="//login.microsoftonline.com/"/>
-<Capabilities>
<Capability Id="KeystrokesAudit"/>
<Capability Id="KeystrokesTextRecorder"/>
</Capabilities>

</TargetSettings>
</ConnectionComponent>

从Cyber​​Ark Github下载导入脚本


GitHub存储库: //github.com/cyberark/epv-api-scripts/tree/master/Platforms
下载脚本: Import-ConnectionComponents.ps1

将脚本复制到记事本,并将其另存为ps1脚本文件。

###########################################################################
#
# NAME: Import 连接ion Components
#
# AUTHOR:  Assaf Miron
#
# COMMENT: 
# This script will Import a single or multiple connection components using REST API
#
# SUPPORTED VERSIONS:
# 赛博方舟 PVWA v10.4 and above
#
#
###########################################################################

param
(
 [Parameter(Mandatory=$true,HelpMessage="Please enter your PVWA address (For example: //pvwa.mydomain.com/PasswordVault)")]
 #[ValidateScript({Invoke-WebRequest -UseBasicParsing -DisableKeepAlive -Uri $_ -Method 'Head' -ErrorAction 'stop' -TimeoutSec 30})]
 [Alias("url")]
 [String]$PVWAURL,
 
 # Use this switch to Disable SSL verification (NOT RECOMMENDED)
 [Parameter(Mandatory=$false)]
 [Switch]$DisableSSLVerify,
 
 [Parameter(Mandatory=$false,HelpMessage="Enter the 连接ion Component Zip path to import")]
 [Alias("连接ionComponent")]
 [string]$ConnectionComponentZipPath,
 
 [Parameter(Mandatory=$false,HelpMessage="Enter a folder path for 连接ion Components Zip files to import")]
 [Alias("Folder")]
 [string]$ConnectionComponentFolderPath
)

# Global URLS
# -----------
$URL_PVWAAPI = $PVWAURL+"/api"
$URL_Authentication = $URL_PVWAAPI+"/auth"
$URL_CyberArkLogon = $URL_Authentication+"/cyberark/Logon"
$URL_CyberArkLogoff = $URL_Authentication+"/Logoff"

# URL Methods
# -----------
$URL_ImportConnectionComponent = $URL_PVWAAPI+"/ConnectionComponents/Import"

# Initialize Script Variables
# ---------------------------
$rstusername = $rstpassword = ""
$logonToken  = ""

Function Disable-SSLVerification
{
<# 
.SYNOPSIS 
 通过pass SSL certificate validations
.DESCRIPTION
 Disables the SSL Verification (bypass self signed SSL certificates)
#>
 # Using Proxy Default credentials if the Server needs Proxy credentials
 [System.Net.WebRequest]::DefaultWebProxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials
 # Using TLS 1.2 as security protocol verification
 [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
 # Disable SSL Verification
 if (-not("DisableCertValidationCallback" -as [type])) {
    add-type -TypeDefinition @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

public static class DisableCertValidationCallback {
    public static bool ReturnTrue(object sender,
        X509Certificate certificate,
        X509Chain chain,
        SslPolicyErrors sslPolicyErrors) { return true; }

    public static RemoteCertificateValidationCallback GetDelegate() {
        return new RemoteCertificateValidationCallback(DisableCertValidationCallback.ReturnTrue);
    }
}
"@ }

 [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [DisableCertValidationCallback]::GetDelegate()
}

Function Get-ZipContent
{
 Param($zipPath)
 
 $zipContent = $null
 try{
  If(Test-Path $zipPath)
  {
   $zipContent = [System.IO.File]::ReadAllBytes($(Resolve-Path $zipPath))
  }
 } catch {
  throw "Error while reading ZIP file: $($_.Exception.Message)"
 }
 
 return $zipContent
}

If ($($PSVersionTable.PSVersion.Major) -lt 3)
{
 Write-Error "This script requires PowerShell version 3 or above"
 return
}

# Check that the PVWA URL is OK
If ($PVWAURL -ne "")
{
 If ($PVWAURL.Substring($PVWAURL.Length-1) -eq "/")
 {
  $PVWAURL = $PVWAURL.Substring(0,$PVWAURL.Length-1)
 }
}
else
{
 Write-Host -ForegroundColor Red "PVWA URL can not be empty"
 return
}

Write-Host "Import 连接ion Component: Script Started" -ForegroundColor Cyan
# Disable SSL Verification to contact PVWA
If($DisableSSLVerify)
{
 Disable-SSLVerification
}

#region [Logon]
# Get Credentials to Login
# ------------------------
$caption = "Import 连接ion Component"
$msg = "Enter your User name and Password"; 
$creds = $Host.UI.PromptForCredential($caption,$msg,"","")
if ($creds -ne $null)
{
 $rstusername = $creds.username.Replace('\','');    
 $rstpassword = $creds.GetNetworkCredential().password
}
else { return }

# Create the POST Body for the Logon
# ----------------------------------
$logonBody = @{ username=$rstusername;password=$rstpassword }
$logonBody = $logonBody | ConvertTo-Json
try{
 # Logon
 $logonToken = Invoke-RestMethod -Method Post -Uri $URL_CyberArkLogon -Body $logonBody -ContentType "application/json"
}
catch
{
 Write-Host -ForegroundColor Red $_.Exception.Response.StatusDescription
 $logonToken = ""
}
If ($logonToken -eq "")
{
 Write-Host -ForegroundColor Red "Logon Token is Empty - Cannot login"
 return
}
# Create a Logon Token Header (This will be used through out all the script)
# ---------------------------
$logonHeader =  New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$logonHeader.Add("Authorization", $logonToken)
#endregion

$arrConCompToImport = @()

If (([string]::IsNullOrEmpty($ConnectionComponentZipPath)) -and (![string]::IsNullOrEmpty($ConnectionComponentFolderPath)))
{
 # Get all 连接ion Components from a folder
 $arrConCompToImport += (Get-ChildItem -Path $ConnectionComponentFolderPath -Filter "*.zip")
}
ElseIf ((![string]::IsNullOrEmpty($ConnectionComponentZipPath)) -and ([string]::IsNullOrEmpty($ConnectionComponentFolderPath)))
{
 # Get the entered 连接ion Component ZIP
 $arrConCompToImport = $ConnectionComponentZipPath
}
Else
{
 Write-Host -ForegroundColor Red "No 连接ion Component path was entered."
 $arrConCompToImport = Read-Host "Please enter a 连接ion Component ZIP path"
}

ForEach($connCompItem in $arrConCompToImport)
{
 If (Test-Path $connCompItem)
 {
  $importBody = @{ ImportFile=$(Get-ZipContent $connCompItem); } | ConvertTo-Json -Depth 3 -Compress
  try{
   $ImportCCResponse = Invoke-RestMethod -Method POST -Uri $URL_ImportConnectionComponent -Headers $logonHeader -ContentType "application/json" -TimeoutSec 3600000 -Body $importBody
   $connectionComponentID = ($ImportCCResponse.ConnectionComponentID)
   Write-Host "连接ion Component ID imported: $connectionComponentID"
  } catch {
   if($_.Exception.Response.StatusDescription -like "*Conflict*")
   {
    Write-Host "The requested connection component already exists" -ForegroundColor Yellow
   }
   Else{
    Write-Error "Error importing the connection ID, Error: $($_.Exception.Response.StatusDescription)"
   }
  }
 }
}

# Logoff the session
# ------------------
if($null -ne $logonHeader)
{
 Write-Host "Logoff Session..."
 Invoke-RestMethod -Method Post -Uri $URL_CyberArkLogoff -Headers $logonHeader -ContentType "application/json" | Out-Null
}

Write-Host "Import 连接ion Component: Script Ended" -ForegroundColor Cyan

将O365连接组件导入Cyber​​Ark

放 将Import-ConnectionComponents.ps1和“ Office-365 1.1.zip”折叠成一个折叠(例如c:\ Temp),然后运行以下命令:

Import-ConnectionComponents.ps1 -PVWAURL //pvwacpm1.51sectest.dev/PasswordVault -ConnectionComponentZipPath "C:\Temp\Office-365 1.1.zip"

If there is error message relating token, deny access, etc, you can replace url with ip address, such as : //192.168.2.23/PasswordVault

另一个常见错误是“登录令牌为空–无法登录”。通常是由自签名证书引起的。我们可以使用开关绕过此证书验证。

Import-ConnectionComponents.ps1 -PVWAURL //pvwacpm1.51sectest.dev/PasswordVault -ConnectionComponentZipPath "C:\Temp\Office-365 1.1.zip" -DisableSSLVerify
PS C:\temp> .\Import-ConnectionComponents.ps1 -pvwaurl //172.23.1.25/PasswordVault/ -ConnectionComponentzippath "C:\temp\Office-365 1.1.zip"
Import 连接ion Component: Script Started
Logon Token is Empty - Cannot login
PS C:\temp> .\Import-ConnectionComponents.ps1 -pvwaurl //172.23.1.25/PasswordVault/ -ConnectionComponentzippath "C:\temp\Office-365 1.1.zip" -DisableSSLVerify
Import 连接ion Component: Script Started
Connection Component ID imported: PSM-Office-365
Logoff Session...
Import 连接ion Component: Script Ended
PS C:\temp>

可以从以下YouTube视频中找到更多详细信息:

修改连接组件并将其添加到平台

如果您使用默认的通用Web应用作为平台,则需要从以下位置更改LogonURL //login.microsoftonline.com/ to //{address}

更改登录URL后,您需要将此新的连接组件分配给您的通用Web App平台,如下所示,也不要忘记将PSM附加到您的平台:

连接

在网站系统类型下创建您的O365管理员帐户, 您的通用Web应用平台和您自己在PVWA中的保险箱,您将需要输入用户名,地址和密码:

选择正确的连接组件以进行连接:

参考文献

通过 约翰

发表评论