Web applications for PSM

This topic describes how to create PSM connection components for web applications.

Prerequisites

  • A supported browser must be installed. For more information, see Supported browsers below.

  • The latest browser driver must be installed for all browsers that you use. For more information, see Supported browsers below.

  • Microsoft Edge requires further hardening configuration. For details, see PSM Hardening Tasks.

  • CPM plugins require .NET Framework 4.8. If you are using an older version of the CPM, .NET Framework 4.8 must be installed on the CPM machine as well.

Supported browsers

 

CyberArk may choose not to provide maintenance and support services for Web applications for PSM with relation to any of the platforms and systems listed below which have reached their formal End-of-Life date, as published by their respective vendors from time to time. For more details, contact your CyberArk support representative.

You can configure PSM connection components for web applications based on a default generic connection component that is created in the PVWA automatically during installation.

The following browsers are supported:

Browser

Download info

Google Chrome (32-bit), version 100 or later

Click here to download this version

Microsoft Edge (32-bit), version 103 or later

Click here to download this version

To prevent incompatibility issues with the PSM Webapp infrastructure, with every new browser version update, make sure to also update the browser's driver with the same version. For example, when updating the Chrome browser to version 104, the Chrome driver on the machine must also be updated to version 104.

Download and install the latest driver:

  • For Google Chrome, use this link to download the latest stable 32-bit (x86) driver.

  • For Microsoft Edge, use this link to download the latest stable 32-bit (x86) driver.

Copy the relevant downloaded exe file, Chromedriver.exe or msedgedriver.exe to the PSM Components folder.

Configuration

You can configure connection components for web applications based on a default generic connection component that is created in the PVWA automatically during installation.

  1. Extract the Secure Web Application Connectors Framework zip file that you downloaded to any location on the PSM server.

  2. Copy all the files from the Components folder in the zip file to the PSM Components folder on your PSM machine.

  1. In the System Configuration page, in the Component Settings, click Options, and expand Connection Components.

    The defined connection components appear.

  2. Right-click PSM-WebAppSample, and select Copy.

     

    For versions 10.1 or lower, copy PSM-WebFormSample.

  3. Right-click Connection Components, and select Paste Connection Component.

    A new connection component is added to the bottom of the list. This connection component is also called PSM-WebAppSample.

  4. Change the Id and DisplayName of the new connection component.

     

    For versions 10.1 or lower, under Target Settings, set ClientDispatcher to "{PSMComponentsFolder}\CyberArk.PSM.WebAppDispatcher.exe" "{PSMComponentsFolder}".

  1. Go to Target Settings > Web Form Settings.

  1. Define the following properties:

    Property

    Description

    LogonURL

    The address of the web application.

    Specify the URL of the login page.

    The URL can include dynamic parameters such as the address that is replaced with the value of the corresponding property of the account.

      
    https://accounts.google.com/ServiceLogin

     

      
    https://{Address}

     

      
    http://{Address}/Welcome/Login

    WebFormFields

     

    		 Describes the list of login actions. For details, see Web Form Fields

    EnforceCertificate
    Validation

    Whether or not PSM will validate target website certificates when initiating PSM connections. This enables PSM to connect to local websites that do not have valid certificates, such as LAN applications with self-signed certificates.

    To connect to local websites that use self-signed certificates, select No.

  1. In Edit target > Client specific settings, define the following:

    Name Description

    ActionTimeout

    The maximum number of seconds to wait for an action to complete.

    Valid values: Positive number

    Default value: 10

    PageLoadTimeout

    The maximum number of seconds to wait for a page to load.

    Valid values: Positive number

    Default value: 30

    BrowserPath

    Path to the browser exe file

    Valid values: Full path

    DriverFolder

    Folder the drive is located.

    Valid values: Folder path

    RunValidations

    Specifies if the validations defined in WebFormFields run. If set to "Yes", validations are required.

    Valid values: Yes/No

    Default value: No

  1. In Target Settings, under the ClientApp properties, set the browser.

    Valid values

    Default value

    Chrome, Edge

    Chrome

  2. Under Lock Application Window, ensure that the MainWindowClass property is set to Chrome_WidgetWin_1, which is the correct value for all supported browsers.

  • Click OK to save the new Connection Component configurations and return to the System Configuration page.

  1. Click Platform Management to display a list of supported target account platforms.

  2. Select the platform to configure, and then click Edit.

    The settings page for the selected platform appears.

  3. Expand UI & Workflows, right-click Connection Components, and then select Add Connection Component.

    A new connection component is added to the current list of connection components that are configured for this platform.

  4. In the new Connection Component, define the following properties:

    Name

    Description

    ID

    The unique ID that identifies the connection component that you created previously for the specific command.

    Enable

    Whether or not this connection component will be enabled for this platform. Select Yes.

  5. Do one of the following:

    • Click Apply to apply the new platform configurations.
    • Click OK to save the new platform configurations and return to the System Configuration page.
 

When creating or linking a connection component, add a ">" (right angle bracket) to the ForbiddenCharacters parameter of the platform.

Convert WebForm to WebApp

You can convert any connector that is based on the WebFormDispatcher.

To convert the connector from WebForm to WebApp:

  1. In the PVWA, click Administration Configuration Options, and then click Options.
  2. In the left pane, expand Connection Components, and then expand the relevant connector.

  3. Click Target Settings, and then do the following:

    Property

    Value

    ClientDispatcher

    Change the value to: "{PSMComponentsFolder}\CyberArk.PSM.WebAppDispatcher.exe" "{PSMComponentsFolder}"

    ClientApp

    Change the value to the relevant browser. For details, see Select the Browser.

Web Form Fields

Syntax

Specify the information listed below in WebFormFields. Add the fields in a list of rows, using the following format:

To enter text into an input field, specify a line in the following format:

  
Identifier > Value (SearchBy=Type) (SendSlow=Time)


Name

Description

Valid Values

Identifier (mandatory)

The ID, name, class, text or xpath of the field.

The entry cannot contain white spaces for ID, name, or class.

 

For xpath, when using [ ], include a caret (^) before each bracket.

For example:

//*[@id="contentBody"]/div/div[2]/div[2]/h1

should be entered as:

//*^[@id="contentBody"^]/div/div^[2^]/div^[2^]/h1

Value (mandatory)

The value of the identifier.

Value to enter in the field, where { } are replaced by parameters.

For example, {username}@{domain}

Type

The type of field in the HTML page.

ID/Name/Class/Text/XPath

By default, fields are searched in the following order: ID, Name, Class.

SendSlow (optional)

The number of seconds to wait between characters before the next character is sent.

Number of seconds

If no value is provided, all of the text will be sent at one time.

To click a button or other clickable elements, specify a line in the following format:

  
Identifier > (Button) (SearchBy=Type)

Or

  
Identifier > (Click) (SearchBy=Type)

 

Name

Description

Valid Values

Identifier (mandatory)

The ID, name, class, text or xpath of the field.

The entry cannot contain white spaces for ID, name, or class.

 

For xpath, when using [ ], include a caret (^) before each bracket.

For example:

//*[@id="contentBody"]/div/div[2]/div[2]/h1

should be entered as:

//*^[@id="contentBody"^]/div/div^[2^]/div^[2^]/h1

Type

The type of field in the HTML page

ID/Name/Class/Text/XPath

By default, fields are searched in the following order: ID, Name, Class.

After a successful login, an element is required in order to verify that the correct page was loaded and the process was successful. To identity these elements, specify a line in the following format:

  
Identifier > (Validation) (SearchBy=Type)

Or

  
Identifier > (Verification) (SearchBy=Type)

 

 
  • All validations must run at the end of the login process.
  • The relation between validations will be "or". If one of the fields defined in the validations will be find, the login will be considered a success.

 

Name

Description

Valid Values

Identifier (mandatory)

The ID, name, class, text or xpath of the field.

The entry cannot contain white spaces for ID, name, or class.

 

For xpath, when using [ ], include a caret (^) before each bracket.

For example:

//*[@id="contentBody"]/div/div[2]/div[2]/h1

should be entered as:

//*^[@id="contentBody"^]/div/div^[2^]/div^[2^]/h1

Type

The type of field in the HTML page

ID/Name/Class/Text/XPath

By default, fields are searched in the following order: ID, Name, Class.

If the required elements are enclosed in a frame, specify the following format to enter a frame where the identifier is known:

  
Identifier > (iFrame) (SearchBy=Type)


Name

Description

Valid Values

Identifier (mandatory)

The ID, name, class, text or xpath of the field.

The entry cannot contain white spaces for ID, name, or class.

Type

The type of field in the HTML page.

ID/Name/Class/Text/XPath

By default, fields are searched in the following order: ID, Name, Class.

  • Specify the following format to enter a frame that has no identifier:

      
    (iFrame)

     

     

    This format will also work in cases where an identifier is available, although its performance will be lower.

  • Specify the following format to return to the main window:

      
    (MainWindow)

To navigate to a new URL, specify a line in the following format:

  
(Navigate=URL)


Name

Description

Valid Values

URL(mandatory)

The URL to navigate to.

Valid URL

By default, when failing to login, the user will receive generic messages such as "Element not found". To provide more accurate error messages for the user such as "Invalid username or password", elements can be located on the page, and a relevant message can be attached to them.

To add this type of scenario, specify a line in the following format:

  
Identifier > (Failure) (SearchBy=Type)(Message="Message")


Name

Description

Valid Values

Identifier (mandatory)

The ID, name, class, text or xpath of the field.

The entry cannot contain white spaces for ID, name, or class.

 

For xpath, when using [ ], include a caret (^) before each bracket.

For example:

//*[@id="contentBody"]/div/div[2]/div[2]/h1

should be entered as:

//*^[@id="contentBody"^]/div/div^[2^]/div^[2^]/h1

Type

The type of field in the HTML page

ID/Name/Class/Text/XPath

By default, fields are searched in the following order: ID, Name, Class.

Message

The message that will be displayed to the user when this element is found.

Text in quotes ("")

Examples

 

WebFormFields example

  1. Go to the GMail login page

  2. Inspect the HTML code of the "Email or phone" field:

    As you can see, the ID of the field is "identifierId". We will specify its value as the username. Thus, the first line is:

    identifierId > {username}

  1. Subsequent values as follows:

    identifierId > {username}
identifierNext > (Button)
password > {password}
passwordNext > (Button)
gb > (Validation)
gbq1 > (Validation)

In this example, the code will:

  1. Enter the username to the "Email or phone" field.
  2. Press the "Next" button.
  3. Enter the password to the "Enter your password" field.
  4. Press the "next" button.
  5. Validate that either "gb" or " gbq1" (the icon fields at the top right) are available.
 

WebFormFields example for a site using iFrame

gsft_main> (iframe)

user_name>{Username}

user_password>{Password}

sysverb_login>(Button)

(mainwindow)

nav-settings-button>(Validation)(searchby=id)

application_picker_select>(Validation)(searchby=id)

In this example, the username, password and button are all in an iFrame that has no identifier.

Preconnect custom code

Overview

If you want to run custom logic before the login process, for example, creating a temporary user for the login process, you can implement an interface using a Preconnect dll file provided by CyberArk. The implemented dll can then be configured to be called prior to a connection, and the returned values can be used in the login process.

Create the preconnect dll

To be able to develop the logic that will be performed before running the connection, you need to implement the interface defined in the PreconnectUtils.dll file.

To create the Preconnect dll:

  1. In the PSM\Components folder, locate the PreconnectUtils.dll file.

  2. Create the dll by implementing the IPreconnectContract defined in the PreconnectUtils.dll file, and then implement the GetParametersmethod: GetParameters(Dictionary,string, SecureString> parameters, WriteToLogHandler WriteToLogMethod)

    Inputs

    Output

    Parameters - A key-value dictionary of the parameters retrieved from the account that are defined in the Preconnect parameter.

    WriteToLogMethod - A handle method used to write information to the logs. See To write information to the logs: below.

    A key-value dictionary of parameters used in the login process.
  3. Make sure that you put the Preconnect dll in the PSM\Components folder.

To write information to the logs:

  • Use WriteToLogMethod to write to the logs.

  • Use Consts to define the log level.

     

    WriteToLogMethod("Start Method", Consts.LOG_LEVEL_INFO);

To return a custom error message to the end user:

  • Throw a PreconnectException exception with the error message that you want the end user to see.

     

    throw new PreconnectException("Preconnect exception");

    Any other exception that is thrown is written to the log only, and the end user will receive a general error message.

Configure the web application

To define the Preconnect dll that will be used during the connection:

  1. In the PVWA, click AdministrationConfiguration Options, and then click Options.
  2. In the left pane, expand Connection Components, and then expand the relevant connector.

  3. Expand Target Settings, right-click Client Specific, and add the following two parameters.

    Parameter

    Description

    PreConnectDllName

    The name of dll file that contains the Preconnect logic.

    Note: The dll file must be located in the PSM Components folder.

    PreConnectParameters

    A comma-separated list of parameters that is sent to the Preconnect dll file.

    Example: username,password

    Note: The parameter names are case-sensitive and should be entered using the same case as they are defined in the configuration options.

  4. If you want to use the values from the Preconnect dll, add these values in the WebFormFields, in the Input field. See Input field, above, in this topic. This is done for each connector.

     

    Different symbols are used for Preconnect parameters in WebFormFields.

    • Use the ampersand symbol, &&, for parameters from the Preconnect dll: &placeholder&
    • Use the brace symbol {} for account or configuration parameters: {placeholder}