CyberArk: Configure Groundplex nodes

Configure Groundplex nodes to work with CyberArk Conjur.

A secrets-config.json node configuration file provides the information that the Groundplex nodes need to access secrets.
  • Permissions to access, update, and restart the Groundplex nodes
In the node configuration file, you will enter the information you collected when setting up the Conjur environment.
  1. Add the following JSON structure and replace placeholders with your values to create secrets-config.json :
    "CYBERARK" : [
                      {
                        "alias": "config-name",
                        "project_space": "/snaplogic/shared",
                        "basePath": "https://ip-address:8443",
                        "account": "myConjurAccount",
                        "userName": "username",
                        "apiKey": "apiKey"
                      },
                      ...
                    ]
                  }
                  
    alias A unique name for the configuration object in this file.
    project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example:
    /<org>/<project_space>/<project>, 
                      /<org>/shared, /<org>/<project_space>/shared
                    
    basePath The endpoint URL for Conjur.
    account The account you used to set up Conjur.
    userName Your Conjur user/host identity.
    apiKey The API key or password for your Conjur user/host.

    For every Conjur environment, you need a configuration object inside the CYBERARK array with the appropriate values.

  2. Save secrets-config.json in the /etc/snaplogic directory on each Groundplex node.
  3. Add a TLS certificate

    A Conjur self-signed TLS certificate was automatically generated when you configured the Leader server of your Conjur environment. You can also use certificates from third-party issuers

    1. Retrieve the Conjur TLS certificate using OpenSSL:
       $ openssl s_client -showcerts -servername myconjurserver.com \
        -connect myconjusrserver.com:443 < /dev/null 2> /dev/null \
        | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > conjur.pem
      
    2. Verify.pem and convert to .dem format:
       $ openssl x509 -outform der -in conjur.pem -out conjur-default.der
      
    3. Load the Conjur TLS certificate into Java's certificate authority (CA) keystore.
        $ JRE_HOME=/opt/snaplogic/pkgs/jdk-11.0.17+8-jre
      $ sudo -E $JRE_HOME/bin/keytool -importcert \
      -alias conjur-myConjurAccount \
      -keystore "$JRE_HOME/lib/security/cacerts" \
      -storepass changeit \
      -file ./conjur-myConjurAccount.der
       
  4. Set up the required environment variables or system properties.
    Note:
    • If you set environment variables, they will override the corresponding settings in the secrets-config.json file.
    • If the same setting is defined as both an environment variable and a system property, the system property value has precedence.
    Environment variable or system property Description
    CONJUR_AUTO_UPDATE_TOKEN Required. Must be set to true.
    At a command line, run:
     set system level CONJUR_AUTO_UPDATE_TOKEN: true
    
    CONJUR_APPLIANCE_URL The endpoint URL for Conjur.
    If you are connecting to a Conjur Enterprise environment configured for high availability,
    • Use the URL of the master load balancer if you intend to perform read and write operations.
    • Use the URL of a follower load balancer if you intend to perform read-only operations.
    CONJUR_ACCOUNT The account you used to set up Conjur.
    CONJUR_AUTHN_LOGIN Your Conjur user/host identity.
    CONJUR_AUTHN_API_KEY The API key or password for your Conjur user/host.
    CONJUR_AUTHN_URL Alternate authentication endpoint.

    By default, CONJUR_APPLIANCE_URL is used with an API key. You can set up CONJUR_AUTHN_URL to use with a password.

    To set up system properties at a command line:
     $ java -jar myConjurClient.jar \
      -DCONJUR_APPLIANCE_URL=https://conjur.myorg.com/api \
      -DCONJUR_ACCOUNT=myorg \
      -DCONJUR_AUTHN_LOGIN=host/myhost.example.com \
      -DCONJUR_AUTHN_API_KEY=xxxxxxxxxxxxxxxxxxxxxx
    
  5. Restart the JCC service.
Configure endpoint accounts to connect to the secrets manager.