Article

When standard integrations are not enough:

Developing custom CyberArk connectors in practice

  • Illustration

    Author: Danylo Khomutov, Senior Service Engineer, BAKOTECH

Content

Chapter 1: Architectural challenges and strategy selection Chapter 2: Building the pgAdmin 4 dispatcher logic Chapter 3: The hybrid DBeaver approach — CLI and UI Chapter 4: The golden rule – verification and input control Conclusion

In modern cybersecurity architecture, Privileged Access Management (PAM) serves as the foundation for protecting critical infrastructure. CyberArk Privileged Access Manager is rightfully considered a market leader in this area thanks to its scalability and adaptability to the most complex enterprise environments. However, even the most powerful system is only effective when it covers 100% of an organization’s target resources.

This is where integrations become essential. Most non-standard tasks can be solved through the CyberArk Marketplace — a portal that offers hundreds of ready-made connectors that require only minor configuration in an existing environment.

Using the Marketplace is the “gold standard”: it ensures rapid deployment and guaranteed compatibility. However, the dynamic evolution of IT tooling often outpaces the release cycle of official plugins. In my practice, pgAdmin 4 and DBeaver have become such challenges. These tools are indispensable for modern database administrators, yet at the time, they lacked suitable out-of-the-box integrations.

In this article, we will explore the technical aspects of developing custom connectors for PSM (Privileged Session Manager) modules, focusing on building reliable automation logic when standard methods fail.

Chapter 1: Architectural challenges and strategy selection

The primary challenge when developing custom PSM dispatchers is the diversity of target application interfaces. When working with pgAdmin 4, we are dealing with a hybrid application. Although it is installed as desktop software, it is essentially a web-rendering container. From the operating system’s perspective, the entire application window is represented as a single object of the class Chrome_WidgetWin_1.

This means we cannot rely on traditional automation using Control IDs. The connector simply cannot “see” individual buttons or text fields. In such conditions, engineers face a choice: rely on fragile coordinate-based logic or build an intelligent system for interface state detection and synchronization. We chose the latter.

Chapter 2: Building the pgAdmin 4 dispatcher logic

The development of the pgAdmin 4 dispatcher was divided into 10 critical stages, each addressing a separate technical challenge.

Preventive execution environment isolation

One of the first technical barriers was library conflicts. PSM servers often maintain their own OpenSSL configurations, which may differ from the versions expected by pgAdmin. To eliminate instability risks, we implemented an environment sanitization stage: the script forcibly clears the OPENSSL_CONF and OPENSSL_MODULES environment variables immediately before launching the process. This ensures that the application runs in a “clean” environment using only its own verified components.

Dynamic interface waiting (PixelSearch)

Since pgAdmin’s web-rendering speed depends on server performance and current load, relying on fixed timeout delays (Sleep) would be a critical mistake. Instead, we implemented dynamic scanning logic. The script enters a waiting loop and uses the PixelSearch function to detect the appearance of specific colors at defined interface coordinates. Only after the system confirms that the interface is ready for interaction does it proceed to the next stage.

Action emulation and navigation

Navigation within the application window was implemented using a combination of hotkeys and context menus. Since we do not have direct access to buttons, the dispatcher simulates right-click actions within predefined interface zones to open the server registration menu, then executes complex sequences to navigate among the address, port, and credential fields.

Illustration

Chapter 3: The hybrid DBeaver approach — CLI and UI

With DBeaver, we took a different approach by leveraging the command-line interface (CLI). However, even the presence of a CLI does not make development trivial.

Method combination

The DBeaver automation approach differed significantly from the pgAdmin case. The primary tool here became the command-line interface, but this decision was driven not only by the desire for stability — it was primarily dictated by strict security and session hygiene requirements.

With a standard “bare” launch, DBeaver attempts to save every new connection profile into the user’s local configuration by default. In a PSM environment, where a single server serves hundreds of users, this creates a serious risk: without additional controls, the next administrator could potentially see artifacts of previous connections — database names and server addresses.

Attempting to solve this problem solely through UI emulation (such as navigating settings menus to disable saving) would be unreliable. Java application interfaces often behave unpredictably, and even minor client-version updates can break the cleanup logic.

That is why we used CLI initialization, generating a complex launch string based on Vault data:

"name=" & $ConnectionName & "|driver=" & $Driver & "|host=" & $TargetAddress & ... & "|save=false|savePassword=true"

The key advantage of this approach lies in the use of specific flags, particularly save=false. This allowed us to:

    Prevent local storage: connection parameters exist only within the active session.

    Ensure profile cleanliness: once the DBeaver window is closed, no connection artifacts remain in the PSM server’s file system.

    Automate “single-use” connections: each session is created as a temporary in-memory object, perfectly aligning with the Zero Trust model.

As a result, CLI integration became the mechanism that enabled a level of security impossible to achieve through traditional UI emulation alone.

Handling “noisy” windows

DBeaver is a Java-based application that may generate numerous pop-up dialogs upon launch, such as update notifications, “tip of the day” messages, or database driver download prompts. Our dispatcher was designed to monitor these windows in real time. If a Driver settings window appears, the script automatically presses the Download button, waits for it to complete, and then proceeds with connection monitoring.

Chapter 4: The golden rule – verification and input control

One of the most important aspects of the project was the principle of controlled privilege handoff. In standard (less secure) systems, users can observe and interfere with the automation process, often causing errors or attempting to bypass security controls.

Input block

We implemented logic where the user remains a “viewer” throughout the entire login process. Using the Hardware Input Lock mechanism, CyberArk blocks keyboard and mouse interaction while the dispatcher is running. This guarantees that the automation sequence cannot be interrupted by accidental user input.

Connection success verification

The verification stage is the key part of the workflow. After the password is entered and “Enter” is pressed, the dispatcher does not immediately complete execution. Instead, it switches into success-monitoring mode.

    The script searches for visual indicators of successful authentication — for example, the appearance of Dashboard graphs in pgAdmin or a change in connection status in DBeaver.

    If no success indicators appear within a defined timeframe (for example, 30 seconds), or if an error window appears, the dispatcher interprets this as an authentication failure, logs the corresponding event, and forcibly terminates the session.

Only after the system verifies a successful connection does the dispatcher send the PSMGenericClient_SendPID signal. This signal instructs CyberArk to:

    Remove hardware keyboard and mouse locking.

    Transfer full application control to the end user.

This approach eliminates scenarios where users encounter an “Access Denied” window and attempt to manually enter passwords or modify connection settings.

Illustration
Illustration

Conclusion

Developing custom CyberArk connectors is the art of combining deep infrastructure expertise with strong engineering and programming skills. The pgAdmin 4 and DBeaver cases demonstrate that, even without official plugins, the CyberArk architecture enables organizations to build solutions that match the capabilities of native integrations in both security and usability.

Key lessons learned:

    Automation must be intelligent: use pixel and window-state detection instead of static delays.

    Control comes first: users should not gain control until the system confirms a secure connection.

    Isolation equals stability: preventive sanitization of the execution environment eliminates countless unpredictable issues.

Building such systems requires not only CyberArk expertise, but also hands-on experience solving non-standard engineering challenges. The BAKOTECH team is ready to provide professional support in developing and implementing custom solutions of any complexity, helping you secure every corner of your IT infrastructure.

Illustration

BAKOTECH is a regional representative of CyberArk in Ukraine, Moldova, the Caucasus, and Central Asia. As a True Value Added IT distributor, BAKOTECH provides professional pre- and post-sales, marketing, technical support for partners and end customers.

Social media

Email

moc.hcetokab%40krarebyc

Illustration

BAKOTECH is a regional representative of CyberArk in Ukraine, Moldova, the Caucasus, and Central Asia. As a True Value Added IT distributor, BAKOTECH provides professional pre- and post-sales, marketing, technical support for partners and end customers.

Social media

Email

moc.hcetokab%40krarebyc