CyberArk: Configure Groundplex nodes

Configure Groundplex nodes to work with CyberArk Conjur.

A secrets-config.json node configuration file provides the information that the Groundplex nodes need to access secrets.

Permissions to access, update, and restart the Groundplex nodes

In the node configuration file, you will enter the information you collected when setting up the Conjur environment.

Add the following JSON structure and replace placeholders with your values to create secrets-config.json :

"CYBERARK" : [
                  {
                    "alias": "config-name",
                    "project_space": "/snaplogic/shared",
                    "basePath": "https://ip-address:8443",
                    "account": "myConjurAccount",
                    "userName": "username",
                    "apiKey": "apiKey"
                  },
                  ...
                ]
              }


alias	A unique name for the configuration object in this file.
project_space	Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example: `/<org>/<project_space>/<project>, /<org>/shared, /<org>/<project_space>/shared`
basePath	The endpoint URL for Conjur.
account	The account you used to set up Conjur.
userName	Your Conjur user/host identity.
apiKey	The API key or password for your Conjur user/host.

For every Conjur environment, you need a configuration object inside the CYBERARK array with the appropriate values.

Save secrets-config.json in the /etc/snaplogic directory on each Groundplex node.

Add a TLS certificate

A Conjur self-signed TLS certificate was automatically generated when you configured the Leader server of your Conjur environment. You can also use certificates from third-party issuers

Retrieve the Conjur TLS certificate using OpenSSL:

 $ openssl s_client -showcerts -servername myconjurserver.com \
  -connect myconjusrserver.com:443 < /dev/null 2> /dev/null \
  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > conjur.pem

Verify.pem and convert to .dem format:

 $ openssl x509 -outform der -in conjur.pem -out conjur-default.der

Load the Conjur TLS certificate into Java's certificate authority (CA) keystore.

  $ JRE_HOME=/opt/snaplogic/pkgs/jdk-11.0.17+8-jre
$ sudo -E $JRE_HOME/bin/keytool -importcert \
-alias conjur-myConjurAccount \
-keystore "$JRE_HOME/lib/security/cacerts" \
-storepass changeit \
-file ./conjur-myConjurAccount.der

Set up the required environment variables or system properties.

Note:

If you set environment variables, they will override the corresponding settings in the secrets-config.json file.
If the same setting is defined as both an environment variable and a system property, the system property value has precedence.


Environment variable or system property	Description
CONJUR_AUTO_UPDATE_TOKEN	Required. Must be set to `true`. At a command line, run: `set system level CONJUR_AUTO_UPDATE_TOKEN: true`
CONJUR_APPLIANCE_URL	The endpoint URL for Conjur. If you are connecting to a Conjur Enterprise environment configured for high availability, Use the URL of the master load balancer if you intend to perform read and write operations. Use the URL of a follower load balancer if you intend to perform read-only operations.
CONJUR_ACCOUNT	The account you used to set up Conjur.
CONJUR_AUTHN_LOGIN	Your Conjur user/host identity.
CONJUR_AUTHN_API_KEY	The API key or password for your Conjur user/host.
CONJUR_AUTHN_URL	Alternate authentication endpoint. By default, `CONJUR_APPLIANCE_URL` is used with an API key. You can set up `CONJUR_AUTHN_URL` to use with a password.

To set up system properties at a command line:

 $ java -jar myConjurClient.jar \
  -DCONJUR_APPLIANCE_URL=https://conjur.myorg.com/api \
  -DCONJUR_ACCOUNT=myorg \
  -DCONJUR_AUTHN_LOGIN=host/myhost.example.com \
  -DCONJUR_AUTHN_API_KEY=xxxxxxxxxxxxxxxxxxxxxx

Restart the JCC service.

Configure endpoint accounts to connect to the secrets manager.