Vault-ConjurIntegration - CyberArk
Transcript of Vault-ConjurIntegration - CyberArk
Vault-Conjur Integration
Version 10.4
Important NoticeConditions and RestrictionsThis guide is delivered subject to the following conditions and restrictions:This guide contains proprietary information and ideas belonging to CyberArk Software Ltd. whichare supplied solely for the purpose of assisting explicitly and properly authorized users of theCyberArk software.No part of its contents may be used for any other purpose, disclosed to any person or firm orreproduced by any means, electronic andmechanical, without the express prior writtenpermission of CyberArk Software Ltd.The software described in this document is furnished under a license. The softwaremay be usedor copied only in accordance with the terms of that agreement.Information in this document, including the text and graphics which aremade available for thepurpose of illustration and reference only, is subject to change without notice. Corporate andindividual names and data used in examples herein are fictitious unless otherwise noted.Third party components used in the CyberArk softwaremay be subject to applicable terms andconditions.
AcknowledgementsThis product includes software developed by the OpenSSL Project for use in the OpenSSLToolkit (http://www.openssl.org/).This product includes cryptographic software written by Eric Young ([email protected]).This product includes software written by Tim Hudson ([email protected]).This product includes software written by Ian F. Darwin.This product includes software developed by the ICU Project (http://site.icu-project.org/)Copyright © 1995-2009 International Business Machines Corporation and other. All rightsreserved.
Copyright© 2000-2018 CyberArk Software Ltd. All rights reserved.CyberArk®, the CyberArk logo, and all other names and logos that appear in this Guide aretrademarks of CyberArk Software Ltd. and their respective owners.Information in this document is subject to change without notice.
CS-010-4-0 9/16/2018
2
CyberArk
CyberArk
3Table of Contents
Table of Contents
Vault Conjur Synchronizer 5Solution benefits 6How does it work? 6Synchronizer Flow 7System requirements 9Hardware requirements 9Licensing 10Audits 10
Synchronizer Installation 11Configure Vault components 11Installation 12
Standard installation 13Silent installation 13
Post installation 15Security 16
For v4 EE installation only: 17For v5 EE installation only: 17
Configuration 18CyberArk Vault-Conjur Synchronizer Windows service configuration 18VaultConjurSynchronizer.exe.config 19Vault.ini 22
Run Synchronizer 26Line of Business (LOB) 27
Overview 27Add an LOB 27
Configuration 28Customize the account name 28
Delete an LOB 29Supported LOBs 31
Conjur Policies 32Conjur 4 EE 32Conjur 5 EE 33
Example 33Accounts and Safes 34
Manage single accounts 34Provisioningmethods 34Add an account in the PVWA 35
Manage Dual Accounts 37How it works 37Dual Account properties 37Configure dual accounts 39
One-time Passwords and Exclusive Accounts 46Interactive usage of one-time passwords and exclusive accounts 46Application usage of one-time passwords and exclusive accounts 46
Manage Accounts and SafesDuring Synchronization 47Upgrade 48Uninstall Synchronizer 49Limitations 51
General Synchronizer limitations 51Deletion limitations 51Upgrade limitations 52
Logs 53Log files 53WindowsEvent log 53Log entry format 54
Troubleshooting 55
4 Table of Contents
CyberArk
5
CyberArk
Vault Conjur Synchronizer
CyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur expandsthe CyberArk Privileged Access Security to the DevOps space and tomodern anddynamic environments. Secrets that are stored andmanaged in the CyberArk Vault cannow be shared with Conjur and used via its clients, APIs and SDKs to enhance securityand reduce risks for the DevOps environments, including CI/CD pipeline, containerizedapplications, and cloud platforms.
The integration between the Enterprise Password Vault ® (EPV) and Conjur providesSecurity, IT, and DevOps teamswith a common platform to enforce privileged accesssecurity policies on all platforms - On Premise/Cloud/DevOps - to form a consistent,unified enterprise-wide PAS Program.
Solution benefitsCyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur providesthe following benefits:
EnablesCyberArk customerswho store andmanage their secrets in the EnterprisePassword Vault ® (EPV) to benefit fromConjur's capabilities to provide secrets indynamic and ephemeral environments and containers.
Enable central policy enforcement for DevOps use cases, such as rotation,monitoring, and auditing.
How does it work?
CyberArk
Vault-Conjur Integration 6
1. Vault Admin creates LOB users and grants them ownership to specific safes. TheseLOBs facilitate the syncing of accounts to Conjur.
2. The CyberArk Vault-Conjur Synchronizer service (Synchronizer) retrieves theaccounts for these LOBs.
3. The Synchronizer generates a Conjur policy for these LOBs that contains the secretsdefined as variables, and loads them to Conjur.
4. The Synchronizer syncs the accounts to Conjur asConjur variables.
5. The Conjur LOB Admin creates and loads a Conjur policy that delegates users andhosts permissions to the variables.
During each sync interval, the Synchronizer repeats step 2 and, if needed, steps 3and 4.
Synchronizer FlowThe Synchronizer syncs secrets from accounts in the root folder of safes that are ownedby the LOB user.
The Synchronizer supportsmost account types. To learnmore about single and dualaccounts, see Accounts and Safes, page 34
Note:Accounts used on Service Account platforms are not synced.
In each sync interval the following steps are taken:
1. The Synchronizer user retrieves all LOB User accounts from the ConjurSync safe.
If there is a new LOB, generate the policy and load it to Conjur.
For Conjur v4 EE only: Save the policy to a folder namedConjurPolicies.Each Vault account is represented in Conjur by the following variables:
Variable Required
password Yes
username No
For example:
Account Variable representation
Single account
(Vault_Name/Safe1/Root/Account1)
Variable name: Vault_Name/lob_name/Safe1/Account1/usernameHas the following annotations:cyberark-vault: truecyberark-vault/accounts: Vault_Name/Safe1/Account1Variable name: Vault_Name/lob_
CyberArk
Synchronizer Flow7
Account Variable representation
name/Safe1/Account1/passwordHas the following annotations:cyberark-vault: truecyberark-vault/accounts: Vault_Name/Safe1/Account1
Dual account
(Vault_Name/Safe1/Root/Account1,Vault_Name/Safe1/Root/Account2)
Variable name: Vault_Name/lob_name/Safe1/virtual_user_name/usernameHas following annotations:cyberark-vault: truecyberark-vault/accounts: Vault_
Name/Safe1/Account1, Vault_Name/Safe1/Account2cyberark-vault/dual-account:
trueVariable name: Vault_Name/lob_name/Safe1/virtual_user_name/passwordHas following annotations:cyberark-vault: truecyberark-vault/accounts: Vault_
Name/Safe1/Account1, Vault_Name/Safe1/Account2cyberark-vault/dual-account:
true
Non-CPMmanaged account Same as single account
Note:In a Dual account, the virtual_user_name of the Dual Account group must be uniqueper safe. For example, if a user has two Unix environments with Dual Accountconfigured, then the two environments cannot have the same virtual_user_name.
Note:If multiple LOBs own the same safe, a set of variables representing the usernameand password are created for each LOB in Conjur.
2. The Synchronizer runs in intervals as defined in theVaultConjurSynchronizer.exe.config file in the SYNC_INTERVAL_TIME parameter.This process syncs the LOB owned safeswith Conjur. The default value for SYNC_INTERVAL_TIME is 300 seconds (5minutes).
If the syncing process for this LOB takes longer than the SYNC_INTERVAL_TIME,the next sync interval for this LOB is skipped.
3. If an account is added to a synced safe, or if a new safe was added or assigned to theLOB User, then the new accounts will be synced to Conjur in the next sync interval.The Synchronizer will first refresh changes in currently synced secrets and then willadd the new accounts to Conjur, so ongoing changeswill be updated as soon as
CyberArk
Vault-Conjur Integration 8
possible.
System requirementsComponent Requirement
PAS Version 9.5 and up
For details, see the Privileged Access Security InstallationGuide.
Conjur Version 5 Enterprise Edition: from 5.1.1 EE and up:
For installation details, seehttps://docs.conjur.org/Latest/en/Content/Get%20Started/install-enterprise.htm.
Version 4 Enterprise Edition: from 4.9.8 and up:
For installation details, see https://developer.conjur.net/server_setup/platforms/docker.html.
Conjur CLI Conjur v4 EE: CLI version 4.29.0 and up, or the latestcyberark/conjur-cli:4 Docker image.
Conjur v5 EE: Recommended install (not mandatory):cyberark/conjur-cli:5 Docker image.
For more information about Conjur CLI Docker images, seehttps://hub.docker.com/r/cyberark/conjur-cli/
Synchronizer Windows Server 2016
Windows Server 2012 R2
.Net Framework 4.5.2
Powershell 4
RemoteSignedWindows PowerShell Script ExecutionPolicy
Hardware requirementsComponent CPU # of cores RAM (GB)
Conjur server 4 Conjur Container: 8
Conjur host machine: 16 or greater
Synchronizer 4 8
CyberArk
System requirements9
LicensingThe Synchronizer and the LOB users are APPProvider users and require appropriatelicenses.
AuditsAudits records are stored in the Enterprise Password Vault ® (EPV) and in Conjur. TheSynchronizer does not maintain audit records.
CyberArk
Vault-Conjur Integration 10
11
CyberArk
Synchronizer Installation
This topic describes how to install the Synchronizer on aWindows platform.
Log in to the Synchronizer machine as an Administrator and unzipVaultConjurSynchronizer.zip to a directory of your choice. In future steps, we refer tothis as <installation directory>.The installation process creates log files in the following locations:
<Synchronizer directory>/Logs/Installation.log
<Installation directory>/Installation.log
Note:You must install Synchronizer on a clean machine.
Configure Vault componentsPrivateArk client1. Go to File > Server File Categories... > New to add File Categories for the
Conjur Host platform.Add the following file categories for the Conjur Host platform:
File Category Name Type Required Category
HostName TEXT No
ApplianceURL TEXT No
File Category Name Type Required Category
ConjurAccount TEXT No
2. Go to Tools > Administrative Tools > Users and Groups > New > User tocreate the user for the Synchronizer. Provide a password for this user:
Tab Column Value
General User name Sync_<Synchronizer machinehostname>
User type APPProvider
Authentication Usermust change passwordat next log on
Uncheck
Password never expires Check
PVWA1. Log in to the PVWA as a Vault administrator.2. To import the Conjur Host platform, go toADMINISTRATION > Platform
Management > Import Platform. Open thePolicy-ConjurHost.zip from the<installation directory>/Installation folder.
3. To activate the CyberArk Vault platform, go toADMINISTRATION > PlatformManagement, selectCyberArk Vault then selectActive, and save.
4. Create a Safe namedConjurSync. Assign ownership of the Safe to theSynchronizer Vault user with the following permissions:
Role Permissions
Access Use accountRetrieve accountList accounts
Account Management Add accountUpdate account contentUpdate account properties
Workflow Access Safe without confirmation
Advanced Create folderDelete folders
5. Log off fromPVWA.
InstallationThis topic describes how to install the Synchronizer on theWindows platform.
The Synchronizer can be installed in either of the following ways:
CyberArk
Vault-Conjur Integration 12
InstallationMethod Description
Standard Youwill be asked to provide information throughout the installationprocess.
Silent The installation procedure is initiated either by a user or by a script, and isperformed without any human interaction
Standard installation1. Open aWindows PowerShellwindow as an administrator, navigate to <directory
from the step above>/Installation and run the following command according toConjur server version:
For Conjur V5:
.\V5SynchronizerInstallation.ps1
For Conjur V4:
.\V4SynchronizerInstallation.ps1
2. Follow the installation prompts.3. When the installation process ends, the CyberArk Vault-Conjur Synchronizer service
appears in theWindowsServiceManagement Console and the CyberArk Vault-Conjur Synchronizer event log appears in the Event Viewer in theApplication andServices Logs folder.
Silent installationTo run a silent installation, you need the following prerequisites:
Credential file for the Conjur Admin user. During installation, the Conjur Admin usercreates the Synchronizer host in Conjur.Configure the silent.ini file
Do the following to prepare and run the silent installation:
1. Open aWindows PowerShellwindow as an administrator, navigate to<installation directory>/Installation/ and run the following commands to create acredentials file for the Conjur Admin user:
$username = "<Conjur admin username>"
$password = Read-Host "Enter the Conjur admin password" -AsSecureString
$credentials = New-ObjectSystem.Management.Automation.PSCredential -ArgumentList$username,$password
CyberArk
Installation13
$credentials | Export-Clixml ConjurAdminCredFile.xml
2. Go to <installation directory>/Installation to edit the silent.ini file:
Parameter Description Default value
InstallationTargetPath Location to install thesynchronizer.
C:\ProgramFiles\CyberArk\Synchronizer
ConjurServerDNS Conjur server DNS,including port if needed.
VaultName The logical name for theCyberArk Vault used tosynchronize with Conjur.For example, the DNSname.
ConjurAccount Conjur v5: The name of theConjur account to whichyou would like to sync.
Conjur v4: Leave nameempty.
VaultAddress Address of the CyberArkVault used to synchronizewith Conjur.
VaultPort 1858
SynchronizerVaultUsername
User name of theSynchronizer Vault user
ConjurCredentialsFilePath
Full path of the ConjurAdmin user's credentials filethat was created in step 1(<installationdirectory>/Installation/ConjurAdmi nCredFile.xml)
3. Open aWindows PowerShellwindow as an administrator, navigate to <installationdirectory>/Installation and run the following command according to Conjur serverversion:
For Conjur V5:
.\V5SynchronizerInstallation.ps1 -silent
For Conjur V4:
.\V4SynchronizerInstallation.ps1 -silent
CyberArk
Vault-Conjur Integration 14
4. When the installation process ends, the CyberArk Vault-Conjur Synchronizer serviceappears in theWindowsServiceManagement Console and the CyberArk Vault-Conjur Synchronizer event log appears in the Event Viewer in theApplication andServices Logs folder.
Post installationDuring the installation process, the installer created a credentials file for the SynchronizerConjur host. To create an account for this host in the Vault, you need to decode thecredentials stored in this file. This account is the Synchronizer representation in Conjurand is used to retrieve the Synchronizer identity in Conjur.
If you performed a standard installation, you can skip theCreate a cred file for theSychronizer's Vault user step.
Create a cred file for the Synchronizer's Vault user
Note:Perform the following steps after a silent installation.
1. After a silent installation, open aWindows PowerShellwindow as an administrator,navigate to <installation directory>/Installation/CreateCredFile and run thefollowing commands:
.\CreateCredFile.exe VaultConjurSynchronizerUser.credPassword /Username Sync_<Synchronizer machine hostname>/Password <Synchronizer Vault User password> /ExePath"<Synchronizer directory>\VaultConjurSynchronizer.exe"/Hostname
2. Move the output file to <Synchronizer directory>\Vault.
Add an account in the Vault for the Synchronizer's Conjur host1. Navigate to <installation directory>/Installation.
Run the following commands to read the credentials of the Synchronizer Conjur host:
$credentials = Import-Clixml -PathsynchronizerConjurHost.xml
$credentials.Username
CyberArk
Post installation15
$credentials.GetNetworkCredential().password
2. Use the values from step 1 to add an account in the PVWA:Method How to
PVWA Edit the following:Parameter Value
Device Type Application
Platform Name Conjur Host
Store in Safe ConjurSync
Host Name The value of$credentials.Username
host/mysynchost
Appliance URL https://<Conjur Server DNS>/api
ConjurAccount Conjur v5: The name of the Conjuraccount to which you would like tosync.
Conjur v4: Leave name empty.
Password The value of$credentials.GetNetworkCredential().password
Name Conjur_<name> where name is theDNS of ConjurFor example, Conjur_conjur-myorg
Allowautomaticpasswordmanagement
Disable
SecurityBy default, the installation restricts permission to the Synchronizer folder toAdministrators group only. If you wish to run the Synchronizer with anOS user that is notamember of the Administrators group, you will need to give this user read, execute, andwrite permissions to the Synchronizer folder.
Following Synchronizer installation, permanently delete or protect the credentials usedduring installation. This includes theConjurAdminCredFile.xml andsynchronizerConjurHost.xml files.
CyberArk
Vault-Conjur Integration 16
For v4 EE installation only:If Ruby is not installed prior to the Synchronizer installation, the installation restrictsthe permission to the Ruby folder to Administrator's group.
Only users in the Users group have read-only access to the ConjurPolicies folder.
For v5 EE installation only:During the Synchronizer installation process, a Conjur server issuer certificate isretrieved and stored at LocalMachine\Root certificate store.
This will occur only if the Conjur server issuer certificate is not already a trustedcertificate.
We recommend configuring the Conjur appliance with the certificate issued by yourorganization's Certificate Authority.
CyberArk
Security17
18
CyberArk
Configuration
This topic describes the configuration of the CyberArk Vault-Conjur SychronizerWindows service and its files. The configuration files define how the Synchronizer worksand aremodified automatically during installation. Youmay edit the CyberArk Vault-Conjur Sychronizer Windows service and its configuration filesmanually after installationaccording to the tables below.
Note:If you modify a configuration file, restart the CyberArk Vault-Conjur Synchronizerservice.
CyberArk Vault-Conjur Synchronizer Windowsservice configurationThe following table lists the parameters found used for the CyberArk Vault-ConjurSynchronizer Windows service configuration.
You canmodify the following:
Parameter Description Default
General >Startuptype
Indicates how and whenthis service is started.
Automatic
(Service starts at boot time)
Log On >Log on as
The type of accountwhere the service runs.
Local System Account
Parameter Description Default
(An account, used by the service controlmanager, that has extensive privileges onthe local computer and acts as the computeron the network)
Recovery >First failure
The action that occurson the first servicefailure.
Restart the Service
Recovery >Secondfailure
The action that occurson the second servicefailure.
Restart the Service
Recovery >Subsequentfailures
The action that occurson subsequent servicefailures.
Take No Action
Recovery >Reset failcount after
Time after which thefailure count is reset to0.
1 day
Recovery >Restartserviceafter
Time between servicefailure and service start,if the action is Restartthe Service.
1 minute
VaultConjurSynchronizer.exe.configThe following table lists the parameters found in themain configuration file which aremodified automatically during the installation process. These parameters define how theSynchronizer works.
You canmodify the following:
Parameter Description Default
INTEGRATION_VAULT_NAME
The logicalname for theCyberArk Vaultused tosynchronizewith Conjur.
Use the VaultName that hasbeen usedduringinstallation.
For example,the DNS name.
CONJUR_CERT_ Conjur v4 EE
CyberArk
Vault-Conjur Integration 19
Parameter Description Default
FILE_PATH only: The pathto thecertification fileprovided by theConjur server.
SYNC_INTERVAL_TIME
Interval time (inseconds) whentheSynchronizerrefreshesaccounts fromthe vault.
300
CRED_FILE_PATH The path to theSynchronizerVault User credfile
./Vault/VaultConjurSynchronizerUser.cred
VAULT_FILE_PATH The path to theVault.ini fileused primarilyto configure theCyberArk Vaultaddress.
./Vault/Vault.ini
LOGS_FOLDER_PATH
Path to the logfiles.If youcustomize thelog file path,restrictread/writepermissions totheAdministrator'sgroup.
./Logs
POLICIES_FOLDER_PATH
Conjur v4 EEonly: The pathto the directorywhere Conjurpolicies arewritten.If youcustomize thepolicies folderpath, restrictread/writepermissions totheAdministrator's
./ConjurPolicies
CyberArk
VaultConjurSynchronizer.exe.config20
Parameter Description Default
group. Inaddition, giveread-onlypermissions tothe Usersgroup.
CASOS_LOG_LEVEL
Defines whichcasos log levelis created
Valid values:OFFERRORDEBUG
ERROR
log4net > root > level The log rootlevel. Logs arewritten from theselected leveland above.Valid values:ALLDEBUGINFOWARNERRORFATALOFF
INFO
log4net > root >appender >MaximumFileSize
Themaximumsize (in MB) ofthe log filebefore beingrolled.
4MB
log4net > root >appender >MaxSizeRollBackups
Themaximumnumber ofbackup filesthat are keptbefore theoldest is erased
10
log4net > appendername ="eventLog"
Specify theLevelMin andLevelMaxparameters:DEBUGINFO
Default LevelMin = WarnDefault LevelMax = Fatal
CyberArk
Vault-Conjur Integration 21
Parameter Description Default
WARNERRORFATAL
Vault.iniThe Vault parameter file, Vault.ini, contains all the information about the Vault that will beaccessed byCyberArk components. Each component that will access the Vault requiresa Vault.ini file of its own.
Note:The semicolon (;) and hash (#) characters indicate the beginning of a remark. However,if these characters appear between quotation marks (“”) or after an equals sign (=) theyare considered to represent a parameter.
Parameter
Vault
Description The name of the Vault.
Acceptable Values String
Default Value None
Address
Description The IP address of the Vault.
Acceptable Values IP address
Default Value None
Port
Description The Vault IP Port.
Acceptable Values Number
Default Value 1858
Timeout
Description The number of seconds to wait for a Vault to respond to a commandbefore a timeout message is displayed.
Note:If you change either the SYNC_INTERVAL_TIME in theVaultConjurSynchronizer.exe.config or the TIMEOUT inthe Vault.ini parameters, make sure TIMEOUT * 2 =SYNC_INTERVAL_TIME.
CyberArk
Vault.ini22
Parameter
Acceptable Values Number
Default Value 30
ProxyType
Description The type of proxy through which the Vault is accessed.
Acceptable Values HTTP, HTTPS, SOCKS4, SOCKS5
Default Value None
ProxyAddress
Description The proxy server IP address. This is mandatory when using a proxyserver.
Acceptable Values IP address
Default Value None
ProxyPort
Description The Proxy server IP Port.
Acceptable Values Number
Default Value 8081
ProxyUser
Description User for Proxy server if NTLM authentication is required.
Acceptable Values User name
Default Value None
ProxyPassword
Description The password for Proxy server if NTLM authentication is required.
Acceptable Values Password
Default Value None
ProxyAuthDomain
Description The domain for the Proxy server if NTLM authentication is required.
Acceptable Values Domain name
Default Value NT_DOMAIN_NAME
BehindFirewall
Description Accessing the Vault via a Firewall.
Acceptable Values Yes/No
Default Value No
UseOnlyHTTP1
CyberArk
Vault-Conjur Integration 23
Parameter
Description Use only HTTP 1.0 protocol. Valid either with proxy settings or withBEHINDFIREWALL.
Acceptable Values Yes/No
Default Value No
NumOfRecordsPerSend
Description The number of file records that require an acknowledgement fromthe Vault server
Acceptable Values Number
Default Value 15
NumOfRecordsPerChunk
Description The number of file records to transfer together in a single TCP/IPsend/receive operation
Acceptable Values Number
Default Value 15
EnhancedSSL
Description Whether or not to use an enhanced SSL based connection (port 443is required).
Acceptable Values Yes/No
Default Value No
PreAuthSecuredSession
Description Whether or not to enable a pre- authentication secured session.
Acceptable Values Yes/No
Default Value No
TrustSSC
Description Whether or not to trust self-signed certificates in pre-authenticationsecured sessions.
Acceptable Values Yes/No
Default Value No
ProxyCredentials
Description This name of a file that contains the proxy credentials. Thisparameter can be used to replace the ProxyUser andProxyPassword parameters.
Acceptable Values Full pathname
Default Value None
CyberArk
Vault.ini24
Parameter
AllowSSCFor3 PartyAuth
Description Whether or not self-signed certificates are allowed for 3rd partyauthentication (eg, RADIUS).
Acceptable Values Yes/No
Default Value No
CyberArk
Vault-Conjur Integration 25
26
CyberArk
Run Synchronizer
This topic describes how to run the Vault-Conjur Synchronizer.
1. Navigate to theWindows Services Management Console and start theCyberArk Vault-Conjur Synchronizer service.You can also start this service from the command line, using the following command:
sc.exe start CyberArkVaultConjurSynchronizer
2. Go to <LOGS_FOLDER_PATH> and open theVaultConjurSynchronizer.log logfile to verify that Synchronizer is running without errors.
You can configure the log folder path under the LOGS_FOLDER_PATH parameterin theVaultConjurSynchronizer.exe.config file.
Note:The first sync might take some time.
27
CyberArk
Line of Business (LOB)
OverviewA line of business (LOB) represents a business group that requires access to secretsfrom the Vault. This enables segregation of duty (SoD). The LOB facilitates the syncingof accounts to Conjur.
This topic describes how to add and assign permissions to an LOB user.
Add an LOB
Note:LOB Name cannot include special characters.
PrivateArk clientGo to Tools > Administrative Tools > Users and Groups > New > User and createa Vault user for the LOB, provide a password for this user, and update the followingvalues:
Tab Column Value
General User name LOBUser_<LOB name>
User type APPProvider
Authentication UserMust Change Uncheck
Tab Column Value
Password at Next Logon
Password never expires Check
PVWA1. Assign the Vault user LOBUser_<LOB name> as an owner of the Safes you would
like to syncwith Conjur. The LOBUser_<LOB name> user requires the followingpermissions:
Role Permissions
Access Use accountsRetrieve accountsList accounts
Workflow Access Safe without confirmation
2. Create an account for the LOB User with the following configuration. The accountnamemust have a prefix of LOBUser_<LOB name>. To set this, see Customize theaccount name, page 28, below.
ConfigurationParameter Value
Device Type Application
Platform Name CyberArk Vault
Note:Supported on Vaultversion 5.0 andabove
Store in Safe ConjurSync
User Name LOBUser_<LOB name>
Address IP address of the Vault
Password Password of LOBUser_<LOBname>
CustomizeAccount Name
LOBUser_<LOB name>
Customize the account nameIn the PVWA v10 interface:
CyberArk
Vault-Conjur Integration 28
Parameter Value
In the PVWA classic interface:
Note:If you want to sync more than one safe with Conjur, send a separate Add LOBUser tosynchronized Safe request with the Safe name for each one.
Delete an LOBTo stop syncing a particular LOB, do the following steps:
Caution:After deleting an LOB, other hosts or users can no longer access the LOBvariables.
CyberArk
Delete an LOB29
PVWAThis step deletes the LOB account in PVWA. The Synchronizer will no longer sync theLOB.
1. Log in to the PVWA as a Vault administrator.2. Delete the LOBUser_<LOB name> user account from the ConjurSync safe.
PrivateArk clientThis step deletes the LOB user in PrivateArk. The user will not be counted for licensepurposes.
Delete the LOBUser_<LOB name> user.
Conjur v5 EEThis step deletes an LOB fromConjur.
1. Create a policy file named deleteLob_<lobName>.yml with the LOB name you intendto delete.
2. In the policy file, input the below text. Replace the <lobName> text with the LOB youintend to delete.
- !delete
record: !group <lobName>-admins
3. Log in to Conjur as a Conjur Administrator and load the policy using the Conjur CLI:
conjur policy load --delete <VaultName> <path to yourpolicy>
This can also be done using the Conjur v5 update policy REST API:https://www.conjur.org/api.html#policies-update-a-policy-patch
Conjur v4 EEThis step removes permissions from the LOB's variables. The variables will no longer beaccessible.
1. Copy the <vault name>/<LOB name> policy from the POLICIES_FOLDER_PATH folder to another location accessible to the Conjur CLI. Edit the following:a. Replace all active-variableswith inactive-variables.b. Change all variables' ownership from !group lob_name-admins to !policy.c. Add following permit lines to end of policy file:
!permitreplace: truerole: !policyprivilege: [ read, execute ]resources: *inactive-variables
CyberArk
Vault-Conjur Integration 30
2. Log in to Conjur as a Conjur Administrator and load the policy using the Conjur CLI:
conjur policy load <path_to_policy_file>
3. Delete the original policy file (<vault name>/<LOB name>) from the POLICIES_FOLDER_PATH folder.
Supported LOBsThe Synchronizer can support up to 10 LOBs. If you initially addmore than 10 LOBs, theSynchronizer doesn't start and generates an error in the logs.
If you add LOBs after the Synchronizer started and the total number of LOBs exceeds 10,the Synchronizer does not sync these additional LOBs and generates an error in the logs.
CyberArk
Supported LOBs31
32
CyberArk
Conjur Policies
A Conjur policy enables you to define security rules in declarative files. These securityrules describe which users and services have privileges to accessmachines, or to getsecrets like passwords and API keys.
After the Synchronizer loads the LOB policies where Conjur variables are defined, youcan apply different Conjur delegation policies to provide permissions to the syncedvariables to Conjur users, groups, hosts, and layers.
Conjur 4 EEExample:
- !hostid: delegated-host
- !permitrole: !host delegated-hostprivileges: [ read, execute ]resources: [ !variable <variable-id> ]
To load the delegation policy, log in as the LOB administrator. To retrieve the API key ofthe LOB administrator, log in to Conjur as the Conjur administrator and run the followingcommand:
conjur user rotate_api_key --user <lob name>-admin
Conjur v4 EE: For details on creating and loading Conjur policies, see PolicyGuide.
Conjur 5 EEA user granting role permissions for an LOB variable defined in a Conjur policy:
Must be amember of the lob-admins groupMust perform this task by using the Append to Policy REST API to update theVault/LOB policy:https://www.conjur.org/api.html#policies-append-to-a-policy-post
Caution:Avoid usingPUT (--replace) to update a Vault/LOB policy. This can remove allsynchronized secrets under the LOB.
ExampleIn the following example, /myapp/myhost represents a role, andvault/lob/safe/account/password is a variable.
In order to provide permissions to read and execute the variable for the role:
1. Create a delegation policy file.
- !permitrole: !host /myapp/myhostprivileges: [ read, execute ]resources: [ !variable safe/account/password ]
2. Log in to Conjur as an LOB administrator. Load the policy using the Conjur CLI:
conjur policy load vault/lob <path_to_policy_file>
You can also do this using the Append to Policy REST API:https://www.conjur.org/api.html#policies-append-to-a-policy-post
A Conjur admin can add a user to the lob-admins group using a grant statement.
CyberArk
Vault-Conjur Integration 33
34
CyberArk
Accounts and Safes
Manage single accountsThis topic describes how you can provision accounts in the Password Vault.
Provisioning methodsMethods Description
PVWA You can provision accounts individually in the Vault in the AddAccounts page of the PVWA.
AccountsFeed–
You can configure the CPM to scan an organizational network andretrieve a list of accounts that have access to its computers and theirdependencies.
ProvisioningAccountsAutomatically
You can detect and provision accounts automatically providing a fulllife-cycle automatic management system forWindows accounts andtheir services.
Web Service You can provision accounts using theAddAccountweb service.
Bulk upload You can provisionmultiple accounts with the Password Upload utility.
For more information about these provisioningmethods, see thePrivileged AccessSecurity Implementation Guide .
Add an account in the PVWAThe following procedure describes how to add an account in the PVWA.
Add an account1. Click ACCOUNTS to display the Accounts page.2. ClickAdd Account; the Add Account page appears.
Note:This button will only be displayed if you have the Add accounts, Update passwordvalue, or update password properties authorization in at least one Safe.
3. From the Safe drop-down list, select the Safe where the account will be stored.4. From the Device drop-down list, select the platform onwhich the new password is
used.5. From the PlatformName drop-down list, select an active target platform.6. Required or optional properties for the type of account that you have selected will
appear automatically, according to the definitions in the target platformconfigurations.
7. Specify the required account properties and, if necessary, the optional accountproperties.
Note:To specify an IPv6 address, specify the global format, as shown in the followingexample: 1000:1000:1000:1000:1000:1000:1000:0055For a list of platforms that support automatic password management on IPv6, referto the Privileged Access Security System Requirements.
8. In thePassword field, specify the password. Make sure this passwordmeets yourenterprise password policy requirements.
9. In theConfirm Password field, specify the password again.10. To generate a password name automatically, selectAuto-generated. For more
information about naming passwords automatically, refer to Identifying Accounts inthe Privileged Access Security Implementation Guide.
11. To specify a password name, enter the name in theCustom field.12. To disable automatic passwordmanagement by the CPM for this password so that it
will bemanagedmanually, selectDisable automatic management for thepassword. You can also enter a reason for doing this.
Note:The CPM user must be an owner of the Safe where the password will be storedand a platform name of an active target account platform must be specified in orderfor the password to be managed by the CPM.
13. ClickSave; the new account is added.14. If the PVWA is configured to automatically change or verify passwordswhen they are
added, this will be done now. For more information about configuring this feature,
CyberArk
Vault-Conjur Integration 35
refer to Adding Accounts in the Privileged Access Security Implementation Guide.15. The account is now created in the specified Safe and the new account details are
displayed in the Account Details page. If the specified password contains leadingand/or trailing white space character(s), a message appears in the Account Detailspage indicating that theywill automatically be removed.
16. Some platforms require additional information. You can specify this information in thetabs in the Account Details page.
CyberArk
Manage single accounts36
Manage Dual AccountsTheDual Accounts deployment method eliminates any edge case delays that may beencountered when using the Single Account deployment method. Using the SingleAccount deployment method, delaysmay be incurred in edge cases such aswhen apassword is requested exactly when CPM is changing that password. Dual Accountsensures no such delays are incurred when the application needs credentials, since apassword that is currently used by an application will never be changed. This is especiallyrecommended in high load and critical applications.
The Dual Accountsmethod ensures seamless, safe access to a system, database, orapplication. With this type of account rotation, there are no blackout periodswhenpasswords expire.
How it worksTwo accounts with identical privileges are assigned: one active:A, one inactive:B. Thereis always an active account, which remains untouched during password rotation. Thisensures business continuity, with no delays.
Rotation 1At the set date for password rotation, accountA, the first account in use, is deactivated,andB is activated.
While the second accountB is active, there is a grace period, during which thedeactivated first accountA will have its password reset. This allows all applications toregister the change and switch to using the newly active account.
Rotation 2At the next set date for password rotation, accountB is deactivated. AccountA is nowactive.
Deactivated accountB has its password reset at the end of this grace period.
Dual Account propertiesTheDual Account solution uses two account properties to determine which accounts arevalid for use at any given time.
Property Description
DualAccountStatus This property flags accounts as Active or Inactive. Dualaccounts pairs will always have one active account and oneinactive account.
VirtualUsername This property identifies two identically provisioned accounts in adual accounts pair under one virtual username.
37 Table of Contents
CyberArk
CyberArk
38Table of Contents
On each target system, theremust be two accounts with identical permissions, the dualaccounts pair, used by the application to connect to the system. In the Vault one accountis tagged as active and the other account is tagged as inactive (using theDualAccountStatus property), while on the target system (e.g. database), they are bothenabled. CyberArk AIM does not enable or disable accounts on target systems.
A typical example is when an application connects to a remote database.
TheBillingApp application regularly requests an account password from theCredential Provider in order to connect to a DB2 database, located on 10.0.0.1.
When using the Dual Account solution, two accountsmust reside on the DB2 database.Both accounts have the same value for their VirtualUsername property, which linksthem and creates the dual accounts pair. These accounts will be used by theBillingAppapplication to connect to the database when required. One account is alwaysActive andone account is always Inactive. Account status will be updated during a passwordchange.
Configure dual accountsThis topic describes how to configure Dual Account passwordmanagement.
Configure support for dual account passwordmanagementTo support rotation of the two accounts before a Central PolicyManager passwordchange, the two accounts are grouped into a Rotational Group.
For details about the PAS functionalitymentioned in this section, see the PrivilegedAccess Security Implementation Guide.
Prepare the Vault environment for dual account support
Note:This step needs to be done once.
In the PrivateArk Client, add the following file categories to the Vault environment:
Note:Make sure that the file categories are configured at the Vault level and not at the Safelevel.
Category Type Description
CurrInd Numeric This file category is applied to the group accountand indicates the currently active account in theRotational Group context. The valuematches anaccount index (see below) in the Rotational Group.
Index Numeric This file category is applied to all accounts in theRotational Group. Accounts will be rotated inascending order according to their index.
DualAccountStatus List Valid Values: Active/Inactive
VirtualUsername Text A logical name that represents both accounts in theRotational Group.
Rotational group platform configurationConfigure the Platform that will be used by theGroupObject.
Note:Do this step for each Platform setting. If one Platform setting addresses all DualAccounts’ pairs and their needs, it may be reused.
In PVWA’s Platform Management:1. Duplicate theSample Password Group Platform template.
39 Table of Contents
CyberArk
CyberArk
40Table of Contents
2. Rename the Platform to represent its purpose. For example, Rotational Policy.3. Activate the Platform. ClickEdit to configure the new policy.
4. Go to Target Account Platform > Automatic Password Management >General. Edit the Platform’sPolicyType toRotationalGroup
5. Go to Target Account PlatformRight-clickAutomatic Password Management> Add additional Policy SettingsRight-clickAdditional Policy Settings > AddParameters. Right-clickParameters > Add Parameter. Add a custom property tothe group, calledGracePeriod
6. Set theGracePeriod parameter and value:TheGracePeriod value is the number of minutes between the rotation of rolesbetween the accounts (Active/Inactive) and the beginning of the password changeprocess for the current Inactive Account.This enforces a delay that ensures there are no discrepancies between the accountbeing used by the application and the one having its password rotated.It is recommended that theGracePeriod value is set to be 3 times longer than thesync interval time (SYNC_INTERVAL_TIME) parameter of the Synchronizer.
Note:In an environment where Dual Accounts is implemented for both AIM and Conjur,set the value of the GracePeriod for both to which whichever value is higher.
41 Table of Contents
CyberArk
CyberArk
42Table of Contents
TheGracePeriod value is the number of minutes between the rotation of rolesbetween the accounts (Active/Inactive) and the beginning of the password changeprocess for the current Inactive Account.This enforces a delay that ensures there is no discrepancies between the accountbeing used by the application and the one having its password rotated, similar to theStartChangeNotBefore property used in single account management.It is recommended that theGracePeriod value is set to be 3 times longer than theCacheRefreshInterval of the Credential Provider. TheCacheRefreshIntervalparameter is stored in themain configuration file in the vault.
7. Save the new Platform.
Configure the object’s platform for dual account supportConfigure the Platform that will be used by the each of the Dual Accounts’ objects.
Note:This step needs to be done for each Platform used by Dual Account objects.
Configure the object's platform1. Go to Target Account Platform > UI & Workflow > Properties.Right-click
Optional . Add the following properties previously defined in the Vault:IndexDualAccountStatusVirtualUsername
2. Save the Platform.
Configure accounts and groups for dual accounts support
Note:This step is done for each account that is used as Dual Account.
Configure for dual accounts support
1. Click to configure dualaccount support.
2. Create the account object.
Note:Both accounts must be created in the same Safe.
3. For each dual account, selectAccount Details > Edit to edit each the dual accountproperties:
Property Description
VirtualUsername Logical representation of the account pair. This valuemust bethe same on both accounts.
Index Ascending from 1
DualAccountStatus On the account with Index value ‘1’, set this value to ‘Active’.Set the other account to ‘Inactive’.
4. On theCPM tab, clickCreate New orModify to the account to a group:Property Description
Group Enter a group name. This should be the same for both accounts.
PlatformName
Specify the Dual Account platform that you specified in the previousstep.
Set the index of the group object
Note:This step is done once on the group object.
Set indexUsing the PrivateArk Client, edit the group object (this can be found in the Group folder ofthe Safe containing the Dual Accounts objects):1. Right click the Group object.2. SelectProperties > File Categories
43 Table of Contents
CyberArk
CyberArk
44Table of Contents
3. Add a file category calledCurrIndwith a value of 1. This indicates the index of theaccount that is set as Active.
Account rotation flow
Under Rotational Group Platform Configuration1. The CPMdetects that the Rotational Group requires a password change, based on
its Platform settings.2. DualAccountStatus of both accounts is switched between Active and Inactive.3. TheCurrInd of the Group is updated to the index of the Active account.4. The Inactive account ismarked for a password change.5. Based on theGracePeriod property of the Rotational Group Platform, the password
change is delayed, allowing the Credential Provider to refresh its cache and startworking with the current Active account.
6. Once the grace period has ended, the CPMwill initiate a password change task forthe Inactive account.
Configure the password change interval for dual accountsThe following section describes how to set the interval for an automatic password changein the PVWA:
In Dual Account configuration, a password is changed only after the Account Rotationprocess is completed and theGracePeriod has ended.Therefore, to comply with your organizational password change policy, the followingformula can be used to calculate the password’s expiration period (Require passwordchange every X days) in the Rotational Group Platform settings:
There is an organizational audit requirement that passwords will be changedevery 30 days.The Rotational Group has 3members.Set the expiration periodof theRotational Group to 10 days.
Set the interval for automatic password change in PVWA1. Go toAdministration > Platform Management > Rotational Policy > Edit >
Automatic Password Management > Password Change.EditPerformPeriodicChange toYes.
2. Go toPolicies > Master Policy > Password Management > Require passwordchange every X daysSelectAdd Exception. Select <platform you createdearlier> > Next. Edit the value to the amount of dayswanted.
LimitationsAccount usages are not supported in automatic Dual Account configuration.
When initiating amanual password change on an account that is amember of aRotational Group, the "Synchronize the current account's password with the group'spassword" radio button is not supported.
Selecting this option will cause the specific account’s password to be out of syncwith theCredential Provider cache.
45 Table of Contents
CyberArk
CyberArk
46Table of Contents
One-time Passwords and Exclusive AccountsThe Synchronizer can retrieve accounts that have been configured for one-timepassword access and exclusive accounts. However, the effects of interactive user usageand application usage vary, as explained below.
Interactive usage of one-time passwords and exclusiveaccountsWhen one-time accounts are used, their password is changed after every usage, basedon theMaster Policy. In addition, if Exclusive Access is enforced by theMaster Policy, theaccount is automatically locked during usage. For more information about one-timepasswords and exclusive access, refer to TheMaster Policy in the Privileged AccessSecurity Implementation Guide.
Application usage of one-time passwords and exclusiveaccountsInherently, applications require passwords at a very high rate. Therefore, one-timepassword workflows are not relevant when applications retrieve passwords. Similarly,several applications in your organizationmay require the same account to be used at thesame time and, therefore, exclusive account workflows are not relevant either.
Nevertheless, it is possible for applications to use accounts that have been configured touse one-time passwords and/or exclusive accounts. Unlike interactive user workflows,one-time passwords that are retrieved by the Synchronizer do not trigger a passwordchange, nor will accounts be locked (if Exclusive Access is configured).
Interactive usersmay continue using these accounts at the same time as applications usethem. However, use by interactive users and applications concurrently will invokefrequent password changes on accounts that have been configured for one-time access.Password changes require the the Synchronizer to access the Vault in order to retrievethe new password and introduce additional load.
If possible, it is recommended to separate accounts used by interactive users andaccounts used by applications.
Manage Accounts and Safes During SynchronizationThis topic describes how tomanage accounts and safes during synchronization.
Add an Account1. Add an account to a synced safe (the LOB User is an owner of that safe)2. In the next sync interval, the account is added to the LOB and corresponding
variables are created in Conjur.3. After the variables are created and loaded, create a delegation policy and grant
permissions to hosts and users on the variables
Rename an Account1. Give an account, that is synced to Conjur, a new name. (The LOB User is an owner
of the safe that the account is stored in.)2. In the next sync interval, the renamed account is added to the LOB as a new account
and the variables are created in Conjur.3. After the variables are created and loaded, create a delegation policy and grant
permissions to hosts and users for these variables.
Note:The variables that correspond to the account before you renamed it are not deletedfrom Conjur. For details, see Limitations, page 51
Add a Safe1. Create a new safe with accounts and add the LOB User as an owner of that safe. Or
add the LOB User as an owner of an existing safe2. In the next sync interval, the accounts are added to the LOB and the variables are
created in Conjur.3. After the variables are created and loaded, create a delegation policy and grant
permissions to hosts and users on the variables
Rename a Safe1. Give a safe that already syncs to Conjur a new name. The LOB User is an owner of
that safe.2. In the next sync interval, the renamed safe's accounts are added to the LOB and the
variables are created in Conjur.3. After the variables are created and loaded, create a delegation policy and grant
permissions to hosts and users on the variables.The variables that correspond to the account before you renamed it are not deletedfromConjur. For details, see Limitations, page 51.
Delete an Account or SafeDeleting an account or a safe from a currently synced LOB is not supported. For details,see Limitations, page 51.
47 Table of Contents
CyberArk
48
CyberArk
Upgrade
This topic will include all the steps needed to upgrade Vault-Conjur Synchronizer.
Note:Upgrade is supported from v10.3 forward.
1. Log in to the Synchronizer machine as an Administrator.
2. UnzipVaultConjurSynchronizer.zip to a directory of your choice.3. StopCyberArk Vault-Conjur Synchronizer service.4. Copy and replace all files except
Vault folderandVaultConjurSynchronizer.exe.conffrom unzipped VaultConjurSynchonizer folder to Synchronizer folder.
Note:The previous location of the Synchronizer folder remains the same. By default, theSynchronizer folder is located here: C:\Program Files\CyberArk\Synchronizer.
Caution:The Vault folder itself and the configuration file,VaultConjurSynchronizer.exe.conf, must not be replaced.
5. StartCyberArk Vault-Conjur Synchronizer service.
49
CyberArk
Uninstall Synchronizer
This topic describes how to uninstall the Synchronizer on aWindows platform.
Perform the following steps as an Administrator on the Synchronizer machine.
Note:If you are uninstalling in order to upgrade to a new version of Synchronizer:
We recommend backing up the Synchronizer folder (default path: C:\ProgramFiles\CyberArk)before proceeding.Onlyperform the first two stepsbelow.
1. Stop and delete theWindows service.
Run the following commands:
sc.exe STOP CyberArkVaultConjurSynchronizer
sc.exe DELETE CyberArkVaultConjurSynchronizer
2. Delete the Synchronizer folder.
The default location is C:\ProgramFiles\CyberArk.
3. Conjur v4 EE only:Delete the Conjur gems.
Run the following commands:
gem uninstall conjur-api
gem uninstall conjur-cli
gem uninstall conjur-asset-policy
4. You can also delete each LOB created for the Synchronizer.
This step is optional. For details, refer to Delete an LOB, page 29.
CyberArk
Vault-Conjur Integration 50
51
CyberArk
Limitations
General Synchronizer limitationsHigh availability is not supported
Synced Accounts per LOB:One LOB can support up to 10,000 accounts, however, you can not exceed 20,000accounts across all 10 LOBs.Variable names are limited to 126 characters.
You cannot add a username to an account that has already been synced by theSynchronizer. The username variable will not sync and an error message is writtento the log during each sync interval.
We support two accounts in a dual account group.
Disaster Recovery Vaults are not supported.
Distributed Vaults are not supported.
Secret values that are synced from the CyberArk Vault must not be changed inConjur. If such a secret value is changed in Conjur, unexpected behavior may occur.Change secret valuesonly in their source accounts in the Vault.The Synchronizer syncs accounts found in the root folder of the Safe. Accountslocated in sub-folders are not synced to Conjur.
Deletion limitationsDeleting an account or a safe from a currently synced LOB is not reflected in Conjur.
Variables and their values are not deleted in Conjur when you delete an account in theVault. This is also true for variables of accounts in a deleted safe.
Conjur v4 EE: After accounts are deleted from the Vault, the LOB admin should revokepermissions for Conjur variables of the deleted accounts.
Create a policy to revoke privileges:
- !permitrole: !policy lob-idreplace: trueprivileges: [ read, execute ]resources: [ !variable variable-to-delete ]
Conjur v5 EE and up: After accounts are deleted from the Vault, the LOB admin shoulddelete the Conjur variables of the deleted accounts.
Upgrade limitationsSynchronizer running with Conjur v4 EE only: Upgrade is supported fromSynchronizer v10.3 and up.
Note:Synchronizer runningwith Conjur v4 EEcannot be transferred to runwith Conjur v5 EE, and viceversa.Synchronizer downgrade isnot supported.
Synchronizer running with Conjur v5 EE and up: A clean Synchronizer install isnecessary.
CyberArk
Vault-Conjur Integration 52
53
CyberArk
Logs
Synchronizer logmessages are written into log files and into theWindowsEvent log.
Log filesSynchronizer logs are located in <LOGS_FOLDER_PATH>. The logs folder containsthe trace log files that track the Synchronizer activity. Themain log file is calledVaultConjurSynchronizer.log.
You can configure the log folder path and log level in theVaultConjurSynchronizer.exe.config file. For details, see Configuration, page 18
Windows Event logThe Synchronizer logs are written to theEvent Viewer > Application and ServicesLogs > CyberArk Vault-Conjur Synchronizer.You can configure the log level in theVaultConjurSynchronizer.exe.config file. Fordetails, see Configuration, page 18.
The following table describes the log levels based on the starting number of the Event ID:
If the Event ID starts with... Synchronizer log level Event log level
1 Debug Information
2 Info Information
If the Event ID starts with... Synchronizer log level Event log level
3 Warning Warning
4 Error Error
5 Fatal Error
Log entry formatThe following describes the log entry format:
[Date] [Thread ID] [Thread Context] [Debug Level] [Message]
Parameter Description
Date Time of the log entry.
Thread ID ID of thread that wrote the entry.
ThreadContext
The name of the LOB processed by the thread ormain if outside thecontext of the LOBs.
DebugLevel
The log root level. Logs are written from the selected level and above.Valid values:ALLDEBUGINFOWARNERRORFATALOFF
Message The log entry message.
CyberArk
Vault-Conjur Integration 54
55
CyberArk
Troubleshooting
This topic describes how to troubleshoot specific errors issued by the Synchronizer to theLogs, page 53.
Issue Errorcode Resolution
Connection timeout tothe vault
ITACM012S
Increase the TIMEOUT parameter value in the<Installation path>\Vault\Vault.ini file.
The default value is 60 seconds.
Connection timeoutduring loading policyvia SDK
VCSS004E
Set HTTP_REQUEST_TIMEOUT parametervalue in the <Installationpath>\VaultConjurSynchronizer.exe.config file.
The default value is 100,000milliseconds (100seconds).
At first Synchronizerstart up, the number ofLOBs exceeds 10
VCSS004F
The Synchronizer can support up to 10 LOBs.If you initially addmore than 10 LOBs, theSynchronizer doesn't start and generates anerror in the logs.
Verify the number of LOBs defined in the Vaultis 10 or less.
At start up, the totalcount of LOBsexceeds 10
VCSS018E
The total count of LOBs exceeds our limit of10 while starting the Synchronizer service.Only those LOBs that have previously beensynced will be synced again. Please removethe others listed in the error log as not synced.
Issue Errorcode Resolution
Reducing the number of LOBs tomeet thelimit will remove this error.
After start up, thenumber of LOBsexceeds 10
VCSS016E
If you add LOBs after the Synchronizer startedand the total number of LOBs exceeds 10, theSynchronizer does not sync these additionalLOBs and generates an error in the logs
Verify the total number of LOBs defined in theVault does not exceed 10.
Conjur is overloadedbecause too manyLOBs are beingsynced
VCSS007E
LOBs that did not sync will sync during thenext interval.
Failed to initializeConjur Client withexception of typeSystem.Net.WebException and message Theremote server returnedan error: (401)Unauthorized
VCSS006E
The Synchronizer Conjur host’s credentialsthat are stored in the Conjur host account inthe ConjurSync safe are incorrect.
Verify that you can login from aConjurCLI with the credentials stored in the accountby running these commands:
conjur authn logout
conjur authn login<HostName field of theaccount>
When prompted for an API key, use thepassword of the account.
The account’s credentials are created at theend of the installation process, and are storedin synchronizerConjurHost.xml. For details oncreating the Conjur host account, see Postinstallation, page 15.
Failed to initializeConjur Client withexception of typeSystem.Net.WebException and message Theremote server returnedan error: (404) NotFound.
VCSS006E
The Synchronizer Conjur host’s ApplianceUrlthat is stored in the Conjur host account in theConjurSync safe is incorrect.
Verify that the value of ApplianceUrl containsthe URL:
https://<Conjur ServerDNS>/api
Accounts are notsyncing
The Synchronizer is running but not syncing toConjur. If you see in the logs these lines:
CyberArk
Vault-Conjur Integration 56
Issue Errorcode Resolution
2018-04-17 15:19:14,865 [6] [main]INFOVaultConjurSynchronizer.Synchronizer- VCSS003I Refreshing accounts fromthe vault - start2018-04-17 15:19:14,865 [6] [main]INFOVaultConjurSynchronizer.Synchronizer- VCSS003I Refreshing accounts fromthe vault – end
And not:
2018-04-17 15:28:07,770 [6] [main]INFOVaultConjurSynchronizer.Synchronizer- VCSS003I Refreshing accounts fromthe vault - start2018-04-17 15:28:10,770 [9][LOBUser_ops] INFOVaultConjurSynchronizer.Synchronizer- VCSS008I Syncing LOB – start2018-04-17 15:28:30,770 [9][LOBUser_ops] INFOVaultConjurSynchronizer.Synchronizer- VCSS008I Syncing LOB – end2018-04-17 15:28:37,770 [6] [main]INFOVaultConjurSynchronizer.Synchronizer- VCSS003I Refreshing accounts fromthe vault – end
This indicates that the Synchronizer isrefreshing but not syncing any LOBs becausethe LOB User account is not configuredcorrectly.
Verify that the account is stored in theConjurSync safe, and that the account name(and the username) start with “LOBUser_”.
CyberArk
57