CyberArk: Configure Groundplex Nodes

Overview

The (secrets-config.json) file provides the information that Snaplex nodes need to access the secrets manager.

  • Permissions to update the Groundplex nodes
In the node configuration file, you will enter the information you collected when setting up the Conjur environment.
  1. Create a secrets-config.json file.
    1. Copy and paste the following JSON structure and replace the placeholders with the appropriate values.
       {
        "CYBERARK" : [
          {
            "alias": "config-name",
            "project_space": "/snaplogic/shared",
            "basePath": "https://ip-address:8443",
            "account": "myConjurAccount",
            "userName": "username",
            "apiKey": "apiKey"
          },
          ...
        ]
      }
      
      alias The name of this configuration object.
      Important: Do not use any of the reserved default aliases (such as DEFAULT_AWS) in your custom secrets-config.json file.
      project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space, shared folder, or project. Use this format (<project_name> is optional): /<org>/<project_space>[/<project_name>] Examples: /Dev_org/My_Space/My_project, /Dev_org/My_Space/shared
      basePath The endpoint URL for Conjur.
      account The account you used to set up Conjur.
      userName Your Conjur user/host identity.
      apiKey The API key or password for your Conjur user/host.

      For every Conjur environment, you need a configuration object inside the CYBERARK array with the appropriate values.

    2. Save the file.
  2. Configure each JCC node in your Groundplex.
    1. Copy the secrets-config.json file to the /etc/snaplogic directory.
    2. Add a TLS certificate.

      A Conjur self-signed TLS certificate was automatically generated when you configured the Leader server of your Conjur environment. You can also use certificates from third-party issuers.

      1. Retrieve the Conjur TLS certificate.
        1. At a command line on a machine that has OpenSSL and access to Conjur, run:
           $ openssl s_client -showcerts -servername myconjurserver.com \
            -connect myconjusrserver.com:443 < /dev/null 2> /dev/null \
            | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > conjur.pem
          
        2. Verify that conjur.pem was created and that it contains the encoded certificate.
      2. Convert the .pem file into the .dem format.
         $ openssl x509 -outform der -in conjur.pem -out conjur-default.der
        
      3. Load the Conjur TLS certificate into Java's certificate authority (CA) keystore.
         $ sudo -E keytool -importcert \
          -alias conjur-myConjurAccount \
          -keystore "$JRE_HOME/lib/security/cacerts" \
          -storepass changeit \
          -file ./conjur-myConjurAccount.der
        
    3. Set up the required environment variables or system properties.
      Note: If the same setting is defined as both an environment variable and a system property, the system property value has precedence.
      Environment variable or system property Description
      CONJUR_AUTO_UPDATE_TOKEN Required. Must be set to true.
      At a command line, run:
       set system level CONJUR_AUTO_UPDATE_TOKEN: true
      
      CONJUR_APPLIANCE_URL The endpoint URL for Conjur.
      If you are connecting to a Conjur Enterprise environment configured for high availability,
      • Use the URL of the master load balancer if you intend to perform read and write operations.
      • Use the URL of a follower load balancer if you intend to perform read-only operations.
      CONJUR_ACCOUNT The account you used to set up Conjur.
      CONJUR_AUTHN_LOGIN Your Conjur user/host identity.
      CONJUR_AUTHN_API_KEY The API key or password for your Conjur user/host.
      CONJUR_AUTHN_URL Alternate authentication endpoint.

      By default, CONJUR_APPLIANCE_URL is used with an API key. You can set up CONJUR_AUTHN_URL to use with a password.

      To set up system properties at a command line:
       $ java -jar myConjurClient.jar \
        -DCONJUR_APPLIANCE_URL=https://conjur.myorg.com/api \
        -DCONJUR_ACCOUNT=myorg \
        -DCONJUR_AUTHN_LOGIN=host/myhost.example.com \
        -DCONJUR_AUTHN_API_KEY=xxxxxxxxxxxxxxxxxxxxxx
      
    4. Restart the JCC service.
      On Linux, /opt/snaplogic/bin/jcc.sh restart
Configure expressions in SnapLogic accounts to connect and authenticate with a secrets manager.