CyberArk: Configure Groundplex Nodes


The node configuration file (secrets-config.json) contains the information that the Snaplex needs to access the appropriate secrets.

  • Permissions to update the Groundplex nodes
In the node configuration file, you will enter the information you collected when setting up the Conjur environment.
  1. Create a secrets-config.json file.
    1. Copy and paste the JSON structure and fill in the required values.
        "CYBERARK" : [
            "alias": "config-name",
            "project_space": "/snaplogic/shared",
            "basePath": "https://ip-address:8443",
            "account": "myConjurAccount",
            "userName": "username",
            "apiKey": "apiKey"
      alias The name of this configuration object.
      Important: Do not use any of the reserved default aliases (such as DEFAULT_AWS) in your custom secrets-config.json file.
      project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example: /<org>/<project_space>/<project>, /<org>/shared, /<org>/<project_space>/shared
      basePath The endpoint URL for Conjur.
      account The account you used to set up Conjur.
      userName Your Conjur user/host identity.
      apiKey The API key or password for your Conjur user/host.

      For every Conjur environment, you need a configuration object inside the CYBERARK array with the appropriate values.

    2. Save the file.
  2. Configure each JCC node in your Groundplex.
    1. Copy the secrets-config.json file to the /etc/snaplogic directory.
    2. Add a TLS certificate.

      A Conjur self-signed TLS certificate was automatically generated when you configured the Leader server of your Conjur environment. You can also use certificates from third-party issuers.

      1. Retrieve the Conjur TLS certificate.
        1. At a command line on a machine that has OpenSSL and access to Conjur, run:
           $ openssl s_client -showcerts -servername \
            -connect < /dev/null 2> /dev/null \
            | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > conjur.pem
        2. Verify that conjur.pem was created and that it contains the encoded certificate.
      2. Convert the .pem file into the .dem format.
         $ openssl x509 -outform der -in conjur.pem -out conjur-default.der
      3. Load the Conjur TLS certificate into Java's certificate authority (CA) keystore.
         $ sudo -E keytool -importcert \
          -alias conjur-myConjurAccount \
          -keystore "$JRE_HOME/lib/security/cacerts" \
          -storepass changeit \
          -file ./conjur-myConjurAccount.der
    3. Set up the required environment variables or system properties.
      Note: If the same setting is defined as both an environment variable and a system property, the system property value has precedence.
      Environment variable or system property Description
      CONJUR_AUTO_UPDATE_TOKEN Required. Must be set to true.
      At a command line, run:
       set system level CONJUR_AUTO_UPDATE_TOKEN: true
      CONJUR_APPLIANCE_URL The endpoint URL for Conjur.
      If you are connecting to a Conjur Enterprise environment configured for high availability,
      • Use the URL of the master load balancer if you intend to perform read and write operations.
      • Use the URL of a follower load balancer if you intend to perform read-only operations.
      CONJUR_ACCOUNT The account you used to set up Conjur.
      CONJUR_AUTHN_LOGIN Your Conjur user/host identity.
      CONJUR_AUTHN_API_KEY The API key or password for your Conjur user/host.
      CONJUR_AUTHN_URL Alternate authentication endpoint.

      By default, CONJUR_APPLIANCE_URL is used with an API key. You can set up CONJUR_AUTHN_URL to use with a password.

      To set up system properties at a command line:
       $ java -jar myConjurClient.jar \
        -DCONJUR_ACCOUNT=myorg \
        -DCONJUR_AUTHN_LOGIN=host/ \
    4. Restart the JCC service.
      On Linux, /opt/snaplogic/bin/ restart
Configure dynamic SnapLogic accounts to connect to your secrets manager and to authenticate.