CyberArk: Configure Groundplex Nodes
Overview
The node configuration file (secrets-config.json) contains the information that the Snaplex needs to access the appropriate secrets.
- Permissions to update the Groundplex nodes
- Create a secrets-config.json file.
- Copy and paste the JSON structure and fill in the required values.
{ "CYBERARK" : [ { "alias": "config-name", "project_space": "/snaplogic/shared", "basePath": "https://ip-address:8443", "account": "myConjurAccount", "userName": "username", "apiKey": "apiKey" }, ... ] }
alias The name of this configuration object. Important: Do not use any of the reserved default aliases (such asDEFAULT_AWS
) in your custom secrets-config.json file.project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>]
where the<project_name>
is optional. Example:/<org>/<project_space>/<project>
,/<org>/shared
,/<org>/<project_space>/shared
basePath The endpoint URL for Conjur. account The account you used to set up Conjur. userName Your Conjur user/host identity. apiKey The API key or password for your Conjur user/host. For every Conjur environment, you need a configuration object inside the
CYBERARK
array with the appropriate values. - Save the file.
- Copy and paste the JSON structure and fill in the required values.
- Configure each JCC node in your Groundplex.
- Copy the secrets-config.json file to the /etc/snaplogic directory.
- Add a TLS certificate.
A Conjur self-signed TLS certificate was automatically generated when you configured the Leader server of your Conjur environment. You can also use certificates from third-party issuers.
- Retrieve the Conjur TLS certificate.
- At a command line on a machine that has OpenSSL and access to Conjur, run:
$ openssl s_client -showcerts -servername myconjurserver.com \ -connect myconjusrserver.com:443 < /dev/null 2> /dev/null \ | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > conjur.pem
- Verify that conjur.pem was created and that it contains the encoded certificate.
- At a command line on a machine that has OpenSSL and access to Conjur, run:
- Convert the .pem file into the .dem format.
$ openssl x509 -outform der -in conjur.pem -out conjur-default.der
- Load the Conjur TLS certificate into Java's certificate authority (CA) keystore.
$ sudo -E keytool -importcert \ -alias conjur-myConjurAccount \ -keystore "$JRE_HOME/lib/security/cacerts" \ -storepass changeit \ -file ./conjur-myConjurAccount.der
- Retrieve the Conjur TLS certificate.
- Set up the required environment variables or system properties.
Note: If the same setting is defined as both an environment variable and a system property, the system property value has precedence.
Environment variable or system property Description CONJUR_AUTO_UPDATE_TOKEN Required. Must be set to true
.At a command line, run:set system level CONJUR_AUTO_UPDATE_TOKEN: true
CONJUR_APPLIANCE_URL The endpoint URL for Conjur. If you are connecting to a Conjur Enterprise environment configured for high availability,- Use the URL of the master load balancer if you intend to perform read and write operations.
- Use the URL of a follower load balancer if you intend to perform read-only operations.
CONJUR_ACCOUNT The account you used to set up Conjur. CONJUR_AUTHN_LOGIN Your Conjur user/host identity. CONJUR_AUTHN_API_KEY The API key or password for your Conjur user/host. CONJUR_AUTHN_URL Alternate authentication endpoint. By default,
CONJUR_APPLIANCE_URL
is used with an API key. You can set upCONJUR_AUTHN_URL
to use with a password.To set up system properties at a command line:$ java -jar myConjurClient.jar \ -DCONJUR_APPLIANCE_URL=https://conjur.myorg.com/api \ -DCONJUR_ACCOUNT=myorg \ -DCONJUR_AUTHN_LOGIN=host/myhost.example.com \ -DCONJUR_AUTHN_API_KEY=xxxxxxxxxxxxxxxxxxxxxx
- Restart the JCC service.
On Linux,
/opt/snaplogic/bin/jcc.sh restart