Vault-ConjurIntegration - CyberArk

Vault-Conjur Integration

Version 10.4

Important NoticeConditions and RestrictionsThis guide is delivered subject to the following conditions and restrictions:This guide contains proprietary information and ideas belonging to CyberArk Software Ltd. whichare supplied solely for the purpose of assisting explicitly and properly authorized users of theCyberArk software.No part of its contents may be used for any other purpose, disclosed to any person or firm orreproduced by any means, electronic andmechanical, without the express prior writtenpermission of CyberArk Software Ltd.The software described in this document is furnished under a license. The softwaremay be usedor copied only in accordance with the terms of that agreement.Information in this document, including the text and graphics which aremade available for thepurpose of illustration and reference only, is subject to change without notice. Corporate andindividual names and data used in examples herein are fictitious unless otherwise noted.Third party components used in the CyberArk softwaremay be subject to applicable terms andconditions.

AcknowledgementsThis product includes software developed by the OpenSSL Project for use in the OpenSSLToolkit (http://www.openssl.org/).This product includes cryptographic software written by Eric Young ([email protected]).This product includes software written by Tim Hudson ([email protected]).This product includes software written by Ian F. Darwin.This product includes software developed by the ICU Project (http://site.icu-project.org/)Copyright © 1995-2009 International Business Machines Corporation and other. All rightsreserved.

Copyright© 2000-2018 CyberArk Software Ltd. All rights reserved.CyberArk®, the CyberArk logo, and all other names and logos that appear in this Guide aretrademarks of CyberArk Software Ltd. and their respective owners.Information in this document is subject to change without notice.

CS-010-4-0 9/16/2018

2

CyberArk

mailto:[email protected]

http://site.icu-project.org/

CyberArk

3Table of Contents

Table of Contents

Vault Conjur Synchronizer 5Solution benefits 6How does it work? 6Synchronizer Flow 7System requirements 9Hardware requirements 9Licensing 10Audits 10

Synchronizer Installation 11Configure Vault components 11Installation 12

Standard installation 13Silent installation 13

Post installation 15Security 16

For v4 EE installation only: 17For v5 EE installation only: 17

Configuration 18CyberArk Vault-Conjur Synchronizer Windows service configuration 18VaultConjurSynchronizer.exe.config 19Vault.ini 22

Run Synchronizer 26Line of Business (LOB) 27

Overview 27Add an LOB 27

Configuration 28Customize the account name 28

Delete an LOB 29Supported LOBs 31

Conjur Policies 32Conjur 4 EE 32Conjur 5 EE 33

Example 33Accounts and Safes 34

Manage single accounts 34Provisioningmethods 34Add an account in the PVWA 35

Manage Dual Accounts 37How it works 37Dual Account properties 37Configure dual accounts 39

One-time Passwords and Exclusive Accounts 46Interactive usage of one-time passwords and exclusive accounts 46Application usage of one-time passwords and exclusive accounts 46

Manage Accounts and SafesDuring Synchronization 47Upgrade 48Uninstall Synchronizer 49Limitations 51

General Synchronizer limitations 51Deletion limitations 51Upgrade limitations 52

Logs 53Log files 53WindowsEvent log 53Log entry format 54

Troubleshooting 55

4 Table of Contents

CyberArk

5

CyberArk

Vault Conjur Synchronizer

CyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur expandsthe CyberArk Privileged Access Security to the DevOps space and tomodern anddynamic environments. Secrets that are stored andmanaged in the CyberArk Vault cannow be shared with Conjur and used via its clients, APIs and SDKs to enhance securityand reduce risks for the DevOps environments, including CI/CD pipeline, containerizedapplications, and cloud platforms.

The integration between the Enterprise Password Vault ® (EPV) and Conjur providesSecurity, IT, and DevOps teamswith a common platform to enforce privileged accesssecurity policies on all platforms - On Premise/Cloud/DevOps - to form a consistent,unified enterprise-wide PAS Program.

Solution benefitsCyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur providesthe following benefits:

EnablesCyberArk customerswho store andmanage their secrets in the EnterprisePassword Vault ® (EPV) to benefit fromConjur's capabilities to provide secrets indynamic and ephemeral environments and containers.

Enable central policy enforcement for DevOps use cases, such as rotation,monitoring, and auditing.

How does it work?

CyberArk

Vault-Conjur Integration 6

1. Vault Admin creates LOB users and grants them ownership to specific safes. TheseLOBs facilitate the syncing of accounts to Conjur.

2. The CyberArk Vault-Conjur Synchronizer service (Synchronizer) retrieves theaccounts for these LOBs.

3. The Synchronizer generates a Conjur policy for these LOBs that contains the secretsdefined as variables, and loads them to Conjur.

4. The Synchronizer syncs the accounts to Conjur asConjur variables.

5. The Conjur LOB Admin creates and loads a Conjur policy that delegates users andhosts permissions to the variables.

During each sync interval, the Synchronizer repeats step 2 and, if needed, steps 3and 4.

Synchronizer FlowThe Synchronizer syncs secrets from accounts in the root folder of safes that are ownedby the LOB user.

The Synchronizer supportsmost account types. To learnmore about single and dualaccounts, see Accounts and Safes, page 34

Note:Accounts used on Service Account platforms are not synced.

In each sync interval the following steps are taken:

1. The Synchronizer user retrieves all LOB User accounts from the ConjurSync safe.

If there is a new LOB, generate the policy and load it to Conjur.

For Conjur v4 EE only: Save the policy to a folder namedConjurPolicies.Each Vault account is represented in Conjur by the following variables:

Variable Required

password Yes

username No

For example:

Account Variable representation

Single account

(Vault_Name/Safe1/Root/Account1)

Variable name: Vault_Name/lob_name/Safe1/Account1/usernameHas the following annotations:cyberark-vault: truecyberark-vault/accounts: Vault_Name/Safe1/Account1Variable name: Vault_Name/lob_

CyberArk

Synchronizer Flow7

Account Variable representation

name/Safe1/Account1/passwordHas the following annotations:cyberark-vault: truecyberark-vault/accounts: Vault_Name/Safe1/Account1

Dual account

(Vault_Name/Safe1/Root/Account1,Vault_Name/Safe1/Root/Account2)

Variable name: Vault_Name/lob_name/Safe1/virtual_user_name/usernameHas following annotations:cyberark-vault: truecyberark-vault/accounts: Vault_

Name/Safe1/Account1, Vault_Name/Safe1/Account2cyberark-vault/dual-account:

trueVariable name: Vault_Name/lob_name/Safe1/virtual_user_name/passwordHas following annotations:cyberark-vault: truecyberark-vault/accounts: Vault_

Name/Safe1/Account1, Vault_Name/Safe1/Account2cyberark-vault/dual-account:

true

Non-CPMmanaged account Same as single account

Note:In a Dual account, the virtual_user_name of the Dual Account group must be uniqueper safe. For example, if a user has two Unix environments with Dual Accountconfigured, then the two environments cannot have the same virtual_user_name.

Note:If multiple LOBs own the same safe, a set of variables representing the usernameand password are created for each LOB in Conjur.

2. The Synchronizer runs in intervals as defined in theVaultConjurSynchronizer.exe.config file in the SYNC_INTERVAL_TIME parameter.This process syncs the LOB owned safeswith Conjur. The default value for SYNC_INTERVAL_TIME is 300 seconds (5minutes).

If the syncing process for this LOB takes longer than the SYNC_INTERVAL_TIME,the next sync interval for this LOB is skipped.

3. If an account is added to a synced safe, or if a new safe was added or assigned to theLOB User, then the new accounts will be synced to Conjur in the next sync interval.The Synchronizer will first refresh changes in currently synced secrets and then willadd the new accounts to Conjur, so ongoing changeswill be updated as soon as

CyberArk


possible.

System requirementsComponent Requirement

PAS Version 9.5 and up

For details, see the Privileged Access Security InstallationGuide.

Conjur Version 5 Enterprise Edition: from 5.1.1 EE and up:

For installation details, seehttps://docs.conjur.org/Latest/en/Content/Get%20Started/install-enterprise.htm.

Version 4 Enterprise Edition: from 4.9.8 and up:

For installation details, see https://developer.conjur.net/server_setup/platforms/docker.html.

Conjur CLI Conjur v4 EE: CLI version 4.29.0 and up, or the latestcyberark/conjur-cli:4 Docker image.

Conjur v5 EE: Recommended install (not mandatory):cyberark/conjur-cli:5 Docker image.

For more information about Conjur CLI Docker images, seehttps://hub.docker.com/r/cyberark/conjur-cli/

Synchronizer Windows Server 2016

Windows Server 2012 R2

.Net Framework 4.5.2

Powershell 4

RemoteSignedWindows PowerShell Script ExecutionPolicy

Hardware requirementsComponent CPU # of cores RAM (GB)

Conjur server 4 Conjur Container: 8

Conjur host machine: 16 or greater

Synchronizer 4 8

CyberArk

System requirements9

https://docs.conjur.org/Latest/en/Content/Get Started/install-enterprise.htm

https://docs.conjur.org/Latest/en/Content/Get Started/install-enterprise.htm

https://developer.conjur.net/server_setup/platforms/docker.html

https://developer.conjur.net/server_setup/platforms/docker.html

https://hub.docker.com/r/cyberark/conjur-cli/

LicensingThe Synchronizer and the LOB users are APPProvider users and require appropriatelicenses.

AuditsAudits records are stored in the Enterprise Password Vault ® (EPV) and in Conjur. TheSynchronizer does not maintain audit records.

CyberArk


11

CyberArk

Synchronizer Installation

This topic describes how to install the Synchronizer on aWindows platform.

Log in to the Synchronizer machine as an Administrator and unzipVaultConjurSynchronizer.zip to a directory of your choice. In future steps, we refer tothis as <installation directory>.The installation process creates log files in the following locations:

<Synchronizer directory>/Logs/Installation.log

<Installation directory>/Installation.log

Note:You must install Synchronizer on a clean machine.

Configure Vault componentsPrivateArk client1. Go to File > Server File Categories... > New to add File Categories for the

Conjur Host platform.Add the following file categories for the Conjur Host platform:

File Category Name Type Required Category

HostName TEXT No

ApplianceURL TEXT No

File Category Name Type Required Category

ConjurAccount TEXT No

2. Go to Tools > Administrative Tools > Users and Groups > New > User tocreate the user for the Synchronizer. Provide a password for this user:

Tab Column Value

General User name Sync_<Synchronizer machinehostname>

User type APPProvider

Authentication Usermust change passwordat next log on

Uncheck

Password never expires Check

PVWA1. Log in to the PVWA as a Vault administrator.2. To import the Conjur Host platform, go toADMINISTRATION > Platform

Management > Import Platform. Open thePolicy-ConjurHost.zip from the<installation directory>/Installation folder.

3. To activate the CyberArk Vault platform, go toADMINISTRATION > PlatformManagement, selectCyberArk Vault then selectActive, and save.

4. Create a Safe namedConjurSync. Assign ownership of the Safe to theSynchronizer Vault user with the following permissions:

Role Permissions

Access Use accountRetrieve accountList accounts

Account Management Add accountUpdate account contentUpdate account properties

Workflow Access Safe without confirmation

Advanced Create folderDelete folders

5. Log off fromPVWA.

InstallationThis topic describes how to install the Synchronizer on theWindows platform.

The Synchronizer can be installed in either of the following ways:

CyberArk


InstallationMethod Description

Standard Youwill be asked to provide information throughout the installationprocess.

Silent The installation procedure is initiated either by a user or by a script, and isperformed without any human interaction

Standard installation1. Open aWindows PowerShellwindow as an administrator, navigate to <directory

from the step above>/Installation and run the following command according toConjur server version:

For Conjur V5:

.\V5SynchronizerInstallation.ps1

For Conjur V4:

.\V4SynchronizerInstallation.ps1

2. Follow the installation prompts.3. When the installation process ends, the CyberArk Vault-Conjur Synchronizer service

appears in theWindowsServiceManagement Console and the CyberArk Vault-Conjur Synchronizer event log appears in the Event Viewer in theApplication andServices Logs folder.

Silent installationTo run a silent installation, you need the following prerequisites:

Credential file for the Conjur Admin user. During installation, the Conjur Admin usercreates the Synchronizer host in Conjur.Configure the silent.ini file

Do the following to prepare and run the silent installation:

1. Open aWindows PowerShellwindow as an administrator, navigate to<installation directory>/Installation/ and run the following commands to create acredentials file for the Conjur Admin user:

$username = "<Conjur admin username>"

$password = Read-Host "Enter the Conjur admin password" -AsSecureString

$credentials = New-ObjectSystem.Management.Automation.PSCredential -ArgumentList$username,$password

CyberArk

Installation13

$credentials | Export-Clixml ConjurAdminCredFile.xml

2. Go to <installation directory>/Installation to edit the silent.ini file:

Parameter Description Default value

InstallationTargetPath Location to install thesynchronizer.

C:\ProgramFiles\CyberArk\Synchronizer

ConjurServerDNS Conjur server DNS,including port if needed.

VaultName The logical name for theCyberArk Vault used tosynchronize with Conjur.For example, the DNSname.

ConjurAccount Conjur v5: The name of theConjur account to whichyou would like to sync.

Conjur v4: Leave nameempty.

VaultAddress Address of the CyberArkVault used to synchronizewith Conjur.

VaultPort 1858

SynchronizerVaultUsername

User name of theSynchronizer Vault user

ConjurCredentialsFilePath

Full path of the ConjurAdmin user's credentials filethat was created in step 1(<installationdirectory>/Installation/ConjurAdmi nCredFile.xml)

3. Open aWindows PowerShellwindow as an administrator, navigate to <installationdirectory>/Installation and run the following command according to Conjur serverversion:

For Conjur V5:

.\V5SynchronizerInstallation.ps1 -silent

For Conjur V4:

.\V4SynchronizerInstallation.ps1 -silent

CyberArk


4. When the installation process ends, the CyberArk Vault-Conjur Synchronizer serviceappears in theWindowsServiceManagement Console and the CyberArk Vault-Conjur Synchronizer event log appears in the Event Viewer in theApplication andServices Logs folder.

Post installationDuring the installation process, the installer created a credentials file for the SynchronizerConjur host. To create an account for this host in the Vault, you need to decode thecredentials stored in this file. This account is the Synchronizer representation in Conjurand is used to retrieve the Synchronizer identity in Conjur.

If you performed a standard installation, you can skip theCreate a cred file for theSychronizer's Vault user step.

Create a cred file for the Synchronizer's Vault user

Note:Perform the following steps after a silent installation.

1. After a silent installation, open aWindows PowerShellwindow as an administrator,navigate to <installation directory>/Installation/CreateCredFile and run thefollowing commands:

.\CreateCredFile.exe VaultConjurSynchronizerUser.credPassword /Username Sync_<Synchronizer machine hostname>/Password <Synchronizer Vault User password> /ExePath"<Synchronizer directory>\VaultConjurSynchronizer.exe"/Hostname

2. Move the output file to <Synchronizer directory>\Vault.

Add an account in the Vault for the Synchronizer's Conjur host1. Navigate to <installation directory>/Installation.

Run the following commands to read the credentials of the Synchronizer Conjur host:

$credentials = Import-Clixml -PathsynchronizerConjurHost.xml

$credentials.Username

CyberArk

Post installation15

$credentials.GetNetworkCredential().password

2. Use the values from step 1 to add an account in the PVWA:Method How to

PVWA Edit the following:Parameter Value

Device Type Application

Platform Name Conjur Host

Store in Safe ConjurSync

Host Name The value of$credentials.Username

host/mysynchost

Appliance URL https://<Conjur Server DNS>/api

ConjurAccount Conjur v5: The name of the Conjuraccount to which you would like tosync.

Conjur v4: Leave name empty.

Password The value of$credentials.GetNetworkCredential().password

Name Conjur_<name> where name is theDNS of ConjurFor example, Conjur_conjur-myorg

Allowautomaticpasswordmanagement

Disable

SecurityBy default, the installation restricts permission to the Synchronizer folder toAdministrators group only. If you wish to run the Synchronizer with anOS user that is notamember of the Administrators group, you will need to give this user read, execute, andwrite permissions to the Synchronizer folder.

Following Synchronizer installation, permanently delete or protect the credentials usedduring installation. This includes theConjurAdminCredFile.xml andsynchronizerConjurHost.xml files.

CyberArk


For v4 EE installation only:If Ruby is not installed prior to the Synchronizer installation, the installation restrictsthe permission to the Ruby folder to Administrator's group.

Only users in the Users group have read-only access to the ConjurPolicies folder.

For v5 EE installation only:During the Synchronizer installation process, a Conjur server issuer certificate isretrieved and stored at LocalMachine\Root certificate store.

This will occur only if the Conjur server issuer certificate is not already a trustedcertificate.

We recommend configuring the Conjur appliance with the certificate issued by yourorganization's Certificate Authority.

CyberArk

Security17

18

CyberArk

Configuration

This topic describes the configuration of the CyberArk Vault-Conjur SychronizerWindows service and its files. The configuration files define how the Synchronizer worksand aremodified automatically during installation. Youmay edit the CyberArk Vault-Conjur Sychronizer Windows service and its configuration filesmanually after installationaccording to the tables below.

Note:If you modify a configuration file, restart the CyberArk Vault-Conjur Synchronizerservice.

CyberArk Vault-Conjur Synchronizer Windowsservice configurationThe following table lists the parameters found used for the CyberArk Vault-ConjurSynchronizer Windows service configuration.

You canmodify the following:

Parameter Description Default

General >Startuptype

Indicates how and whenthis service is started.

Automatic

(Service starts at boot time)

Log On >Log on as

The type of accountwhere the service runs.

Local System Account


(An account, used by the service controlmanager, that has extensive privileges onthe local computer and acts as the computeron the network)

Recovery >First failure

The action that occurson the first servicefailure.

Restart the Service

Recovery >Secondfailure

The action that occurson the second servicefailure.

Restart the Service

Recovery >Subsequentfailures

The action that occurson subsequent servicefailures.

Take No Action

Recovery >Reset failcount after

Time after which thefailure count is reset to0.

1 day

Recovery >Restartserviceafter

Time between servicefailure and service start,if the action is Restartthe Service.

1 minute

VaultConjurSynchronizer.exe.configThe following table lists the parameters found in themain configuration file which aremodified automatically during the installation process. These parameters define how theSynchronizer works.

You canmodify the following:


INTEGRATION_VAULT_NAME

The logicalname for theCyberArk Vaultused tosynchronizewith Conjur.

Use the VaultName that hasbeen usedduringinstallation.

For example,the DNS name.

CONJUR_CERT_ Conjur v4 EE

CyberArk



FILE_PATH only: The pathto thecertification fileprovided by theConjur server.

SYNC_INTERVAL_TIME

Interval time (inseconds) whentheSynchronizerrefreshesaccounts fromthe vault.

300

CRED_FILE_PATH The path to theSynchronizerVault User credfile

./Vault/VaultConjurSynchronizerUser.cred

VAULT_FILE_PATH The path to theVault.ini fileused primarilyto configure theCyberArk Vaultaddress.

./Vault/Vault.ini

LOGS_FOLDER_PATH

Path to the logfiles.If youcustomize thelog file path,restrictread/writepermissions totheAdministrator'sgroup.

./Logs

POLICIES_FOLDER_PATH

Conjur v4 EEonly: The pathto the directorywhere Conjurpolicies arewritten.If youcustomize thepolicies folderpath, restrictread/writepermissions totheAdministrator's

./ConjurPolicies

CyberArk

VaultConjurSynchronizer.exe.config20


group. Inaddition, giveread-onlypermissions tothe Usersgroup.

CASOS_LOG_LEVEL

Defines whichcasos log levelis created

Valid values:OFFERRORDEBUG

ERROR

log4net > root > level The log rootlevel. Logs arewritten from theselected leveland above.Valid values:ALLDEBUGINFOWARNERRORFATALOFF

INFO

log4net > root >appender >MaximumFileSize

Themaximumsize (in MB) ofthe log filebefore beingrolled.

4MB

log4net > root >appender >MaxSizeRollBackups

Themaximumnumber ofbackup filesthat are keptbefore theoldest is erased

10

log4net > appendername ="eventLog"

Specify theLevelMin andLevelMaxparameters:DEBUGINFO

Default LevelMin = WarnDefault LevelMax = Fatal

CyberArk



WARNERRORFATAL

Vault.iniThe Vault parameter file, Vault.ini, contains all the information about the Vault that will beaccessed byCyberArk components. Each component that will access the Vault requiresa Vault.ini file of its own.

Note:The semicolon (;) and hash (#) characters indicate the beginning of a remark. However,if these characters appear between quotation marks (“”) or after an equals sign (=) theyare considered to represent a parameter.

Parameter

Vault

Description The name of the Vault.

Acceptable Values String

Default Value None

Address

Description The IP address of the Vault.

Acceptable Values IP address

Default Value None

Port

Description The Vault IP Port.

Acceptable Values Number

Default Value 1858

Timeout

Description The number of seconds to wait for a Vault to respond to a commandbefore a timeout message is displayed.

Note:If you change either the SYNC_INTERVAL_TIME in theVaultConjurSynchronizer.exe.config or the TIMEOUT inthe Vault.ini parameters, make sure TIMEOUT * 2 =SYNC_INTERVAL_TIME.

CyberArk

Vault.ini22

Parameter


Default Value 30

ProxyType

Description The type of proxy through which the Vault is accessed.

Acceptable Values HTTP, HTTPS, SOCKS4, SOCKS5

Default Value None

ProxyAddress

Description The proxy server IP address. This is mandatory when using a proxyserver.

Acceptable Values IP address

Default Value None

ProxyPort

Description The Proxy server IP Port.


Default Value 8081

ProxyUser

Description User for Proxy server if NTLM authentication is required.

Acceptable Values User name

Default Value None

ProxyPassword

Description The password for Proxy server if NTLM authentication is required.

Acceptable Values Password

Default Value None

ProxyAuthDomain

Description The domain for the Proxy server if NTLM authentication is required.

Acceptable Values Domain name

Default Value NT_DOMAIN_NAME

BehindFirewall

Description Accessing the Vault via a Firewall.

Acceptable Values Yes/No

Default Value No

UseOnlyHTTP1

CyberArk


Parameter

Description Use only HTTP 1.0 protocol. Valid either with proxy settings or withBEHINDFIREWALL.


Default Value No

NumOfRecordsPerSend

Description The number of file records that require an acknowledgement fromthe Vault server


Default Value 15

NumOfRecordsPerChunk

Description The number of file records to transfer together in a single TCP/IPsend/receive operation


Default Value 15

EnhancedSSL

Description Whether or not to use an enhanced SSL based connection (port 443is required).


Default Value No

PreAuthSecuredSession

Description Whether or not to enable a pre- authentication secured session.


Default Value No

TrustSSC

Description Whether or not to trust self-signed certificates in pre-authenticationsecured sessions.


Default Value No

ProxyCredentials

Description This name of a file that contains the proxy credentials. Thisparameter can be used to replace the ProxyUser andProxyPassword parameters.

Acceptable Values Full pathname

Default Value None

CyberArk

Vault.ini24

Parameter

AllowSSCFor3 PartyAuth

Description Whether or not self-signed certificates are allowed for 3rd partyauthentication (eg, RADIUS).


Default Value No

CyberArk


26

CyberArk

Run Synchronizer

This topic describes how to run the Vault-Conjur Synchronizer.

1. Navigate to theWindows Services Management Console and start theCyberArk Vault-Conjur Synchronizer service.You can also start this service from the command line, using the following command:

sc.exe start CyberArkVaultConjurSynchronizer

2. Go to <LOGS_FOLDER_PATH> and open theVaultConjurSynchronizer.log logfile to verify that Synchronizer is running without errors.

You can configure the log folder path under the LOGS_FOLDER_PATH parameterin theVaultConjurSynchronizer.exe.config file.

Note:The first sync might take some time.

27

CyberArk

Line of Business (LOB)

OverviewA line of business (LOB) represents a business group that requires access to secretsfrom the Vault. This enables segregation of duty (SoD). The LOB facilitates the syncingof accounts to Conjur.

This topic describes how to add and assign permissions to an LOB user.

Add an LOB

Note:LOB Name cannot include special characters.

PrivateArk clientGo to Tools > Administrative Tools > Users and Groups > New > User and createa Vault user for the LOB, provide a password for this user, and update the followingvalues:

Tab Column Value

General User name LOBUser_<LOB name>

User type APPProvider

Authentication UserMust Change Uncheck

Tab Column Value

Password at Next Logon

Password never expires Check

PVWA1. Assign the Vault user LOBUser_<LOB name> as an owner of the Safes you would

like to syncwith Conjur. The LOBUser_<LOB name> user requires the followingpermissions:

Role Permissions

Access Use accountsRetrieve accountsList accounts

Workflow Access Safe without confirmation

2. Create an account for the LOB User with the following configuration. The accountnamemust have a prefix of LOBUser_<LOB name>. To set this, see Customize theaccount name, page 28, below.

ConfigurationParameter Value

Device Type Application

Platform Name CyberArk Vault

Note:Supported on Vaultversion 5.0 andabove

Store in Safe ConjurSync

User Name LOBUser_<LOB name>

Address IP address of the Vault

Password Password of LOBUser_<LOBname>

CustomizeAccount Name

LOBUser_<LOB name>

Customize the account nameIn the PVWA v10 interface:

CyberArk


Parameter Value

In the PVWA classic interface:

Note:If you want to sync more than one safe with Conjur, send a separate Add LOBUser tosynchronized Safe request with the Safe name for each one.

Delete an LOBTo stop syncing a particular LOB, do the following steps:

Caution:After deleting an LOB, other hosts or users can no longer access the LOBvariables.

CyberArk

Delete an LOB29

PVWAThis step deletes the LOB account in PVWA. The Synchronizer will no longer sync theLOB.

1. Log in to the PVWA as a Vault administrator.2. Delete the LOBUser_<LOB name> user account from the ConjurSync safe.

PrivateArk clientThis step deletes the LOB user in PrivateArk. The user will not be counted for licensepurposes.

Delete the LOBUser_<LOB name> user.

Conjur v5 EEThis step deletes an LOB fromConjur.

1. Create a policy file named deleteLob_<lobName>.yml with the LOB name you intendto delete.

2. In the policy file, input the below text. Replace the <lobName> text with the LOB youintend to delete.

- !delete

record: !group <lobName>-admins

3. Log in to Conjur as a Conjur Administrator and load the policy using the Conjur CLI:

conjur policy load --delete <VaultName> <path to yourpolicy>

This can also be done using the Conjur v5 update policy REST API:https://www.conjur.org/api.html#policies-update-a-policy-patch

Conjur v4 EEThis step removes permissions from the LOB's variables. The variables will no longer beaccessible.

1. Copy the <vault name>/<LOB name> policy from the POLICIES_FOLDER_PATH folder to another location accessible to the Conjur CLI. Edit the following:a. Replace all active-variableswith inactive-variables.b. Change all variables' ownership from !group lob_name-admins to !policy.c. Add following permit lines to end of policy file:

!permitreplace: truerole: !policyprivilege: [ read, execute ]resources: *inactive-variables

CyberArk


https://www.conjur.org/api.html#policies-update-a-policy-patch

2. Log in to Conjur as a Conjur Administrator and load the policy using the Conjur CLI:

conjur policy load <path_to_policy_file>

3. Delete the original policy file (<vault name>/<LOB name>) from the POLICIES_FOLDER_PATH folder.

Supported LOBsThe Synchronizer can support up to 10 LOBs. If you initially addmore than 10 LOBs, theSynchronizer doesn't start and generates an error in the logs.

If you add LOBs after the Synchronizer started and the total number of LOBs exceeds 10,the Synchronizer does not sync these additional LOBs and generates an error in the logs.

CyberArk

Supported LOBs31

32

CyberArk

Conjur Policies

A Conjur policy enables you to define security rules in declarative files. These securityrules describe which users and services have privileges to accessmachines, or to getsecrets like passwords and API keys.

After the Synchronizer loads the LOB policies where Conjur variables are defined, youcan apply different Conjur delegation policies to provide permissions to the syncedvariables to Conjur users, groups, hosts, and layers.

Conjur 4 EEExample:

- !hostid: delegated-host

- !permitrole: !host delegated-hostprivileges: [ read, execute ]resources: [ !variable <variable-id> ]

To load the delegation policy, log in as the LOB administrator. To retrieve the API key ofthe LOB administrator, log in to Conjur as the Conjur administrator and run the followingcommand:

conjur user rotate_api_key --user <lob name>-admin

Conjur v4 EE: For details on creating and loading Conjur policies, see PolicyGuide.

Conjur 5 EEA user granting role permissions for an LOB variable defined in a Conjur policy:

Must be amember of the lob-admins groupMust perform this task by using the Append to Policy REST API to update theVault/LOB policy:https://www.conjur.org/api.html#policies-append-to-a-policy-post

Caution:Avoid usingPUT (--replace) to update a Vault/LOB policy. This can remove allsynchronized secrets under the LOB.

ExampleIn the following example, /myapp/myhost represents a role, andvault/lob/safe/account/password is a variable.

In order to provide permissions to read and execute the variable for the role:

1. Create a delegation policy file.

- !permitrole: !host /myapp/myhostprivileges: [ read, execute ]resources: [ !variable safe/account/password ]

2. Log in to Conjur as an LOB administrator. Load the policy using the Conjur CLI:

conjur policy load vault/lob <path_to_policy_file>

You can also do this using the Append to Policy REST API:https://www.conjur.org/api.html#policies-append-to-a-policy-post

A Conjur admin can add a user to the lob-admins group using a grant statement.

CyberArk


https://developer.conjur.net/policy

https://docs.conjur.org/Latest/en/Content/Operations/Policy/PolicyGuidePolicy Statement Reference _ Conjur Developer Docs.html#Grant

34

CyberArk

Accounts and Safes

Manage single accountsThis topic describes how you can provision accounts in the Password Vault.

Provisioning methodsMethods Description

PVWA You can provision accounts individually in the Vault in the AddAccounts page of the PVWA.

AccountsFeed–

You can configure the CPM to scan an organizational network andretrieve a list of accounts that have access to its computers and theirdependencies.

ProvisioningAccountsAutomatically

You can detect and provision accounts automatically providing a fulllife-cycle automatic management system forWindows accounts andtheir services.

Web Service You can provision accounts using theAddAccountweb service.

Bulk upload You can provisionmultiple accounts with the Password Upload utility.

For more information about these provisioningmethods, see thePrivileged AccessSecurity Implementation Guide .

Add an account in the PVWAThe following procedure describes how to add an account in the PVWA.

Add an account1. Click ACCOUNTS to display the Accounts page.2. ClickAdd Account; the Add Account page appears.

Note:This button will only be displayed if you have the Add accounts, Update passwordvalue, or update password properties authorization in at least one Safe.

3. From the Safe drop-down list, select the Safe where the account will be stored.4. From the Device drop-down list, select the platform onwhich the new password is

used.5. From the PlatformName drop-down list, select an active target platform.6. Required or optional properties for the type of account that you have selected will

appear automatically, according to the definitions in the target platformconfigurations.

7. Specify the required account properties and, if necessary, the optional accountproperties.

Note:To specify an IPv6 address, specify the global format, as shown in the followingexample: 1000:1000:1000:1000:1000:1000:1000:0055For a list of platforms that support automatic password management on IPv6, referto the Privileged Access Security System Requirements.

8. In thePassword field, specify the password. Make sure this passwordmeets yourenterprise password policy requirements.

9. In theConfirm Password field, specify the password again.10. To generate a password name automatically, selectAuto-generated. For more

information about naming passwords automatically, refer to Identifying Accounts inthe Privileged Access Security Implementation Guide.

11. To specify a password name, enter the name in theCustom field.12. To disable automatic passwordmanagement by the CPM for this password so that it

will bemanagedmanually, selectDisable automatic management for thepassword. You can also enter a reason for doing this.

Note:The CPM user must be an owner of the Safe where the password will be storedand a platform name of an active target account platform must be specified in orderfor the password to be managed by the CPM.

13. ClickSave; the new account is added.14. If the PVWA is configured to automatically change or verify passwordswhen they are

added, this will be done now. For more information about configuring this feature,

CyberArk


refer to Adding Accounts in the Privileged Access Security Implementation Guide.15. The account is now created in the specified Safe and the new account details are

displayed in the Account Details page. If the specified password contains leadingand/or trailing white space character(s), a message appears in the Account Detailspage indicating that theywill automatically be removed.

16. Some platforms require additional information. You can specify this information in thetabs in the Account Details page.

CyberArk

Manage single accounts36

Manage Dual AccountsTheDual Accounts deployment method eliminates any edge case delays that may beencountered when using the Single Account deployment method. Using the SingleAccount deployment method, delaysmay be incurred in edge cases such aswhen apassword is requested exactly when CPM is changing that password. Dual Accountsensures no such delays are incurred when the application needs credentials, since apassword that is currently used by an application will never be changed. This is especiallyrecommended in high load and critical applications.

The Dual Accountsmethod ensures seamless, safe access to a system, database, orapplication. With this type of account rotation, there are no blackout periodswhenpasswords expire.

How it worksTwo accounts with identical privileges are assigned: one active:A, one inactive:B. Thereis always an active account, which remains untouched during password rotation. Thisensures business continuity, with no delays.

Rotation 1At the set date for password rotation, accountA, the first account in use, is deactivated,andB is activated.

While the second accountB is active, there is a grace period, during which thedeactivated first accountA will have its password reset. This allows all applications toregister the change and switch to using the newly active account.

Rotation 2At the next set date for password rotation, accountB is deactivated. AccountA is nowactive.

Deactivated accountB has its password reset at the end of this grace period.

Dual Account propertiesTheDual Account solution uses two account properties to determine which accounts arevalid for use at any given time.

Property Description

DualAccountStatus This property flags accounts as Active or Inactive. Dualaccounts pairs will always have one active account and oneinactive account.

VirtualUsername This property identifies two identically provisioned accounts in adual accounts pair under one virtual username.

37 Table of Contents

CyberArk

CyberArk

38Table of Contents

On each target system, theremust be two accounts with identical permissions, the dualaccounts pair, used by the application to connect to the system. In the Vault one accountis tagged as active and the other account is tagged as inactive (using theDualAccountStatus property), while on the target system (e.g. database), they are bothenabled. CyberArk AIM does not enable or disable accounts on target systems.

A typical example is when an application connects to a remote database.

TheBillingApp application regularly requests an account password from theCredential Provider in order to connect to a DB2 database, located on 10.0.0.1.

When using the Dual Account solution, two accountsmust reside on the DB2 database.Both accounts have the same value for their VirtualUsername property, which linksthem and creates the dual accounts pair. These accounts will be used by theBillingAppapplication to connect to the database when required. One account is alwaysActive andone account is always Inactive. Account status will be updated during a passwordchange.

Configure dual accountsThis topic describes how to configure Dual Account passwordmanagement.

Configure support for dual account passwordmanagementTo support rotation of the two accounts before a Central PolicyManager passwordchange, the two accounts are grouped into a Rotational Group.

For details about the PAS functionalitymentioned in this section, see the PrivilegedAccess Security Implementation Guide.

Prepare the Vault environment for dual account support

Note:This step needs to be done once.

In the PrivateArk Client, add the following file categories to the Vault environment:

Note:Make sure that the file categories are configured at the Vault level and not at the Safelevel.

Category Type Description

CurrInd Numeric This file category is applied to the group accountand indicates the currently active account in theRotational Group context. The valuematches anaccount index (see below) in the Rotational Group.

Index Numeric This file category is applied to all accounts in theRotational Group. Accounts will be rotated inascending order according to their index.

DualAccountStatus List Valid Values: Active/Inactive

VirtualUsername Text A logical name that represents both accounts in theRotational Group.

Rotational group platform configurationConfigure the Platform that will be used by theGroupObject.

Note:Do this step for each Platform setting. If one Platform setting addresses all DualAccounts’ pairs and their needs, it may be reused.

In PVWA’s Platform Management:1. Duplicate theSample Password Group Platform template.


CyberArk

CyberArk

40Table of Contents

2. Rename the Platform to represent its purpose. For example, Rotational Policy.3. Activate the Platform. ClickEdit to configure the new policy.

4. Go to Target Account Platform > Automatic Password Management >General. Edit the Platform’sPolicyType toRotationalGroup

5. Go to Target Account PlatformRight-clickAutomatic Password Management> Add additional Policy SettingsRight-clickAdditional Policy Settings > AddParameters. Right-clickParameters > Add Parameter. Add a custom property tothe group, calledGracePeriod

6. Set theGracePeriod parameter and value:TheGracePeriod value is the number of minutes between the rotation of rolesbetween the accounts (Active/Inactive) and the beginning of the password changeprocess for the current Inactive Account.This enforces a delay that ensures there are no discrepancies between the accountbeing used by the application and the one having its password rotated.It is recommended that theGracePeriod value is set to be 3 times longer than thesync interval time (SYNC_INTERVAL_TIME) parameter of the Synchronizer.

Note:In an environment where Dual Accounts is implemented for both AIM and Conjur,set the value of the GracePeriod for both to which whichever value is higher.


CyberArk

CyberArk

42Table of Contents

TheGracePeriod value is the number of minutes between the rotation of rolesbetween the accounts (Active/Inactive) and the beginning of the password changeprocess for the current Inactive Account.This enforces a delay that ensures there is no discrepancies between the accountbeing used by the application and the one having its password rotated, similar to theStartChangeNotBefore property used in single account management.It is recommended that theGracePeriod value is set to be 3 times longer than theCacheRefreshInterval of the Credential Provider. TheCacheRefreshIntervalparameter is stored in themain configuration file in the vault.

7. Save the new Platform.

Configure the object’s platform for dual account supportConfigure the Platform that will be used by the each of the Dual Accounts’ objects.

Note:This step needs to be done for each Platform used by Dual Account objects.

Configure the object's platform1. Go to Target Account Platform > UI & Workflow > Properties.Right-click

Optional . Add the following properties previously defined in the Vault:IndexDualAccountStatusVirtualUsername

2. Save the Platform.

Configure accounts and groups for dual accounts support

Note:This step is done for each account that is used as Dual Account.

Configure for dual accounts support

1. Click to configure dualaccount support.

2. Create the account object.

Note:Both accounts must be created in the same Safe.

3. For each dual account, selectAccount Details > Edit to edit each the dual accountproperties:

Property Description

VirtualUsername Logical representation of the account pair. This valuemust bethe same on both accounts.

Index Ascending from 1

DualAccountStatus On the account with Index value ‘1’, set this value to ‘Active’.Set the other account to ‘Inactive’.

4. On theCPM tab, clickCreate New orModify to the account to a group:Property Description

Group Enter a group name. This should be the same for both accounts.

PlatformName

Specify the Dual Account platform that you specified in the previousstep.

Set the index of the group object

Note:This step is done once on the group object.

Set indexUsing the PrivateArk Client, edit the group object (this can be found in the Group folder ofthe Safe containing the Dual Accounts objects):1. Right click the Group object.2. SelectProperties > File Categories


CyberArk

CyberArk

44Table of Contents

3. Add a file category calledCurrIndwith a value of 1. This indicates the index of theaccount that is set as Active.

Account rotation flow

Under Rotational Group Platform Configuration1. The CPMdetects that the Rotational Group requires a password change, based on

its Platform settings.2. DualAccountStatus of both accounts is switched between Active and Inactive.3. TheCurrInd of the Group is updated to the index of the Active account.4. The Inactive account ismarked for a password change.5. Based on theGracePeriod property of the Rotational Group Platform, the password

change is delayed, allowing the Credential Provider to refresh its cache and startworking with the current Active account.

6. Once the grace period has ended, the CPMwill initiate a password change task forthe Inactive account.

Configure the password change interval for dual accountsThe following section describes how to set the interval for an automatic password changein the PVWA:

In Dual Account configuration, a password is changed only after the Account Rotationprocess is completed and theGracePeriod has ended.Therefore, to comply with your organizational password change policy, the followingformula can be used to calculate the password’s expiration period (Require passwordchange every X days) in the Rotational Group Platform settings:

There is an organizational audit requirement that passwords will be changedevery 30 days.The Rotational Group has 3members.Set the expiration periodof theRotational Group to 10 days.

Set the interval for automatic password change in PVWA1. Go toAdministration > Platform Management > Rotational Policy > Edit >

Automatic Password Management > Password Change.EditPerformPeriodicChange toYes.

2. Go toPolicies > Master Policy > Password Management > Require passwordchange every X daysSelectAdd Exception. Select <platform you createdearlier> > Next. Edit the value to the amount of dayswanted.

LimitationsAccount usages are not supported in automatic Dual Account configuration.

When initiating amanual password change on an account that is amember of aRotational Group, the "Synchronize the current account's password with the group'spassword" radio button is not supported.

Selecting this option will cause the specific account’s password to be out of syncwith theCredential Provider cache.


CyberArk

CyberArk

46Table of Contents

One-time Passwords and Exclusive AccountsThe Synchronizer can retrieve accounts that have been configured for one-timepassword access and exclusive accounts. However, the effects of interactive user usageand application usage vary, as explained below.

Interactive usage of one-time passwords and exclusiveaccountsWhen one-time accounts are used, their password is changed after every usage, basedon theMaster Policy. In addition, if Exclusive Access is enforced by theMaster Policy, theaccount is automatically locked during usage. For more information about one-timepasswords and exclusive access, refer to TheMaster Policy in the Privileged AccessSecurity Implementation Guide.

Application usage of one-time passwords and exclusiveaccountsInherently, applications require passwords at a very high rate. Therefore, one-timepassword workflows are not relevant when applications retrieve passwords. Similarly,several applications in your organizationmay require the same account to be used at thesame time and, therefore, exclusive account workflows are not relevant either.

Nevertheless, it is possible for applications to use accounts that have been configured touse one-time passwords and/or exclusive accounts. Unlike interactive user workflows,one-time passwords that are retrieved by the Synchronizer do not trigger a passwordchange, nor will accounts be locked (if Exclusive Access is configured).

Interactive usersmay continue using these accounts at the same time as applications usethem. However, use by interactive users and applications concurrently will invokefrequent password changes on accounts that have been configured for one-time access.Password changes require the the Synchronizer to access the Vault in order to retrievethe new password and introduce additional load.

If possible, it is recommended to separate accounts used by interactive users andaccounts used by applications.

Manage Accounts and Safes During SynchronizationThis topic describes how tomanage accounts and safes during synchronization.

Add an Account1. Add an account to a synced safe (the LOB User is an owner of that safe)2. In the next sync interval, the account is added to the LOB and corresponding

variables are created in Conjur.3. After the variables are created and loaded, create a delegation policy and grant

permissions to hosts and users on the variables

Rename an Account1. Give an account, that is synced to Conjur, a new name. (The LOB User is an owner

of the safe that the account is stored in.)2. In the next sync interval, the renamed account is added to the LOB as a new account

and the variables are created in Conjur.3. After the variables are created and loaded, create a delegation policy and grant

permissions to hosts and users for these variables.

Note:The variables that correspond to the account before you renamed it are not deletedfrom Conjur. For details, see Limitations, page 51

Add a Safe1. Create a new safe with accounts and add the LOB User as an owner of that safe. Or

add the LOB User as an owner of an existing safe2. In the next sync interval, the accounts are added to the LOB and the variables are

created in Conjur.3. After the variables are created and loaded, create a delegation policy and grant

permissions to hosts and users on the variables

Rename a Safe1. Give a safe that already syncs to Conjur a new name. The LOB User is an owner of

that safe.2. In the next sync interval, the renamed safe's accounts are added to the LOB and the

variables are created in Conjur.3. After the variables are created and loaded, create a delegation policy and grant

permissions to hosts and users on the variables.The variables that correspond to the account before you renamed it are not deletedfromConjur. For details, see Limitations, page 51.

Delete an Account or SafeDeleting an account or a safe from a currently synced LOB is not supported. For details,see Limitations, page 51.


CyberArk

48

CyberArk

Upgrade

This topic will include all the steps needed to upgrade Vault-Conjur Synchronizer.

Note:Upgrade is supported from v10.3 forward.

1. Log in to the Synchronizer machine as an Administrator.

2. UnzipVaultConjurSynchronizer.zip to a directory of your choice.3. StopCyberArk Vault-Conjur Synchronizer service.4. Copy and replace all files except

Vault folderandVaultConjurSynchronizer.exe.conffrom unzipped VaultConjurSynchonizer folder to Synchronizer folder.

Note:The previous location of the Synchronizer folder remains the same. By default, theSynchronizer folder is located here: C:\Program Files\CyberArk\Synchronizer.

Caution:The Vault folder itself and the configuration file,VaultConjurSynchronizer.exe.conf, must not be replaced.

5. StartCyberArk Vault-Conjur Synchronizer service.

49

CyberArk

Uninstall Synchronizer

This topic describes how to uninstall the Synchronizer on aWindows platform.

Perform the following steps as an Administrator on the Synchronizer machine.

Note:If you are uninstalling in order to upgrade to a new version of Synchronizer:

We recommend backing up the Synchronizer folder (default path: C:\ProgramFiles\CyberArk)before proceeding.Onlyperform the first two stepsbelow.

1. Stop and delete theWindows service.

Run the following commands:

sc.exe STOP CyberArkVaultConjurSynchronizer

sc.exe DELETE CyberArkVaultConjurSynchronizer

2. Delete the Synchronizer folder.

The default location is C:\ProgramFiles\CyberArk.

3. Conjur v4 EE only:Delete the Conjur gems.

Run the following commands:

gem uninstall conjur-api

gem uninstall conjur-cli

gem uninstall conjur-asset-policy

4. You can also delete each LOB created for the Synchronizer.

This step is optional. For details, refer to Delete an LOB, page 29.

CyberArk


51

CyberArk

Limitations

General Synchronizer limitationsHigh availability is not supported

Synced Accounts per LOB:One LOB can support up to 10,000 accounts, however, you can not exceed 20,000accounts across all 10 LOBs.Variable names are limited to 126 characters.

You cannot add a username to an account that has already been synced by theSynchronizer. The username variable will not sync and an error message is writtento the log during each sync interval.

We support two accounts in a dual account group.

Disaster Recovery Vaults are not supported.

Distributed Vaults are not supported.

Secret values that are synced from the CyberArk Vault must not be changed inConjur. If such a secret value is changed in Conjur, unexpected behavior may occur.Change secret valuesonly in their source accounts in the Vault.The Synchronizer syncs accounts found in the root folder of the Safe. Accountslocated in sub-folders are not synced to Conjur.

Deletion limitationsDeleting an account or a safe from a currently synced LOB is not reflected in Conjur.

Variables and their values are not deleted in Conjur when you delete an account in theVault. This is also true for variables of accounts in a deleted safe.

Conjur v4 EE: After accounts are deleted from the Vault, the LOB admin should revokepermissions for Conjur variables of the deleted accounts.

Create a policy to revoke privileges:

- !permitrole: !policy lob-idreplace: trueprivileges: [ read, execute ]resources: [ !variable variable-to-delete ]

Conjur v5 EE and up: After accounts are deleted from the Vault, the LOB admin shoulddelete the Conjur variables of the deleted accounts.

Upgrade limitationsSynchronizer running with Conjur v4 EE only: Upgrade is supported fromSynchronizer v10.3 and up.

Note:Synchronizer runningwith Conjur v4 EEcannot be transferred to runwith Conjur v5 EE, and viceversa.Synchronizer downgrade isnot supported.

Synchronizer running with Conjur v5 EE and up: A clean Synchronizer install isnecessary.

CyberArk


53

CyberArk

Logs

Synchronizer logmessages are written into log files and into theWindowsEvent log.

Log filesSynchronizer logs are located in <LOGS_FOLDER_PATH>. The logs folder containsthe trace log files that track the Synchronizer activity. Themain log file is calledVaultConjurSynchronizer.log.

You can configure the log folder path and log level in theVaultConjurSynchronizer.exe.config file. For details, see Configuration, page 18

Windows Event logThe Synchronizer logs are written to theEvent Viewer > Application and ServicesLogs > CyberArk Vault-Conjur Synchronizer.You can configure the log level in theVaultConjurSynchronizer.exe.config file. Fordetails, see Configuration, page 18.

The following table describes the log levels based on the starting number of the Event ID:

If the Event ID starts with... Synchronizer log level Event log level

1 Debug Information

2 Info Information

If the Event ID starts with... Synchronizer log level Event log level

3 Warning Warning

4 Error Error

5 Fatal Error

Log entry formatThe following describes the log entry format:

[Date] [Thread ID] [Thread Context] [Debug Level] [Message]

Parameter Description

Date Time of the log entry.

Thread ID ID of thread that wrote the entry.

ThreadContext

The name of the LOB processed by the thread ormain if outside thecontext of the LOBs.

DebugLevel

The log root level. Logs are written from the selected level and above.Valid values:ALLDEBUGINFOWARNERRORFATALOFF

Message The log entry message.

CyberArk


55

CyberArk

Troubleshooting

This topic describes how to troubleshoot specific errors issued by the Synchronizer to theLogs, page 53.

Issue Errorcode Resolution

Connection timeout tothe vault

ITACM012S

Increase the TIMEOUT parameter value in the<Installation path>\Vault\Vault.ini file.

The default value is 60 seconds.

Connection timeoutduring loading policyvia SDK

VCSS004E

Set HTTP_REQUEST_TIMEOUT parametervalue in the <Installationpath>\VaultConjurSynchronizer.exe.config file.

The default value is 100,000milliseconds (100seconds).

At first Synchronizerstart up, the number ofLOBs exceeds 10

VCSS004F

The Synchronizer can support up to 10 LOBs.If you initially addmore than 10 LOBs, theSynchronizer doesn't start and generates anerror in the logs.

Verify the number of LOBs defined in the Vaultis 10 or less.

At start up, the totalcount of LOBsexceeds 10

VCSS018E

The total count of LOBs exceeds our limit of10 while starting the Synchronizer service.Only those LOBs that have previously beensynced will be synced again. Please removethe others listed in the error log as not synced.


Reducing the number of LOBs tomeet thelimit will remove this error.

After start up, thenumber of LOBsexceeds 10

VCSS016E

If you add LOBs after the Synchronizer startedand the total number of LOBs exceeds 10, theSynchronizer does not sync these additionalLOBs and generates an error in the logs

Verify the total number of LOBs defined in theVault does not exceed 10.

Conjur is overloadedbecause too manyLOBs are beingsynced

VCSS007E

LOBs that did not sync will sync during thenext interval.

Failed to initializeConjur Client withexception of typeSystem.Net.WebException and message Theremote server returnedan error: (401)Unauthorized

VCSS006E

The Synchronizer Conjur host’s credentialsthat are stored in the Conjur host account inthe ConjurSync safe are incorrect.

Verify that you can login from aConjurCLI with the credentials stored in the accountby running these commands:

conjur authn logout

conjur authn login<HostName field of theaccount>

When prompted for an API key, use thepassword of the account.

The account’s credentials are created at theend of the installation process, and are storedin synchronizerConjurHost.xml. For details oncreating the Conjur host account, see Postinstallation, page 15.

Failed to initializeConjur Client withexception of typeSystem.Net.WebException and message Theremote server returnedan error: (404) NotFound.

VCSS006E

The Synchronizer Conjur host’s ApplianceUrlthat is stored in the Conjur host account in theConjurSync safe is incorrect.

Verify that the value of ApplianceUrl containsthe URL:

https://<Conjur ServerDNS>/api

Accounts are notsyncing

The Synchronizer is running but not syncing toConjur. If you see in the logs these lines:

CyberArk



2018-04-17 15:19:14,865 [6] [main]INFOVaultConjurSynchronizer.Synchronizer- VCSS003I Refreshing accounts fromthe vault - start2018-04-17 15:19:14,865 [6] [main]INFOVaultConjurSynchronizer.Synchronizer- VCSS003I Refreshing accounts fromthe vault – end

And not:

2018-04-17 15:28:07,770 [6] [main]INFOVaultConjurSynchronizer.Synchronizer- VCSS003I Refreshing accounts fromthe vault - start2018-04-17 15:28:10,770 [9][LOBUser_ops] INFOVaultConjurSynchronizer.Synchronizer- VCSS008I Syncing LOB – start2018-04-17 15:28:30,770 [9][LOBUser_ops] INFOVaultConjurSynchronizer.Synchronizer- VCSS008I Syncing LOB – end2018-04-17 15:28:37,770 [6] [main]INFOVaultConjurSynchronizer.Synchronizer- VCSS003I Refreshing accounts fromthe vault – end

This indicates that the Synchronizer isrefreshing but not syncing any LOBs becausethe LOB User account is not configuredcorrectly.

Verify that the account is stored in theConjurSync safe, and that the account name(and the username) start with “LOBUser_”.

CyberArk

57

Vault-ConjurIntegration - CyberArk

Documents

Transcript of Vault-ConjurIntegration - CyberArk