Troubleshoot "Error code 4037(Forbidden)" while fetching asset value from Cyberark CCP through disconnected credential proxy
Issue Description:
Error code 4037 while fetching asset value from Cyberark CCP through disconnected credential proxy
Resolution:
- Validate the format of the client certificate and root CA server certificate(if the Cyberark server is using a self-signed or non-public CA signed certificate)
- Make sure that the certificates are in PFX format. PFX certificates will be in binary(human non-readable format). In case the content of the certificate has --begin certificate-- and --end certificate--, it is not in PFX format. In order to convert the certificate to PFX, Import the certificate to any machine and export it as PFX.
- Convert the PFX file to a base64 string using the following PowerShell script:
$fileContentBytes = Get-Content 'C:\path\to\the.pfx' -Encoding Byte [System.Convert]::ToBase64String($fileContentBytes) | Out-File 'C:\path\to\the.txt'
- If the root CA server certificate (.crt) needs to be configured, it needs to be converted to base64 string using the same script as well.
- Use the powershell script to fetch the credentials from Cyberark CCP from the credential proxy server.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$URI = "<Cyberark URL with AppID, Safe etc>"
$certPath = ""
$cert = Get-PfxCertificate -FilePath $certPath
$res = (Invoke-RestMethod -Method Get -Uri $URI -Certificate $cert)
echo $res
- If the above script works, configure the content of the client certificate in the SerializedClientCertificate field and content of the server root CA in the SerializedRootCA fields in apsettings.prod.json file in the disconnected credential proxy server. The content of the file should look like below.
{
"Jwt": {
"Keys": [
"*****"
]
},
"AppSettings": {
"CredentialsProxyType": "Disconnected",
"SecureStoreConfigurations": [
{
"Key": "UiPath_CyberArkCCP",
"Type": "CyberArkCCP",
"Context": {
"ApplicationId": "UiPath",
"Safe": "*1",
"Folder": "Root",
"WebServiceUrl": "https://****/",
"WebServiceName": "AIMWebService",
"SerializedClientCertificate": "",
"ClientCertificatePassword": "UiPath123",
"SerializedRootCA": ""
}
}
]
}
}
- Save the file, restart IIS, and run the job again.