CyberArk: Configure Groundplex Nodes
Overview
A secrets-config.json node configuration file provides the information that the Groundplex nodes need to access secrets.- Permissions to access, update, and restart the Groundplex nodes
-
Add the following JSON structure and replace placeholders with your values to create
secrets-config.json:"CYBERARK" : [ { "alias": "config-name", "project_space": "/snaplogic/shared", "basePath": "https://ip-address:8443", "account": "myConjurAccount", "userName": "username", "apiKey": "apiKey" }, ... ] }alias A unique name for the configuration object in this file. project_space Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example: /<org>/<project_space>/<project>, /<org>/shared, /<org>/<project_space>/sharedbasePath The endpoint URL for Conjur. account The account you used to set up Conjur. userName Your Conjur user/host identity. apiKey The API key or password for your Conjur user/host. For every Conjur environment, you need a configuration object inside the
CYBERARKarray with the appropriate values. -
Save
secrets-config.jsonin the/etc/snaplogicdirectory on each Groundplex node. -
Add a TLS certificate
A Conjur self-signed TLS certificate was automatically generated when you configured the Leader server of your Conjur environment. You can also use certificates from third-party issuers
-
Retrieve the Conjur TLS certificate using OpenSSL:
$ openssl s_client -showcerts -servername myconjurserver.com \ -connect myconjusrserver.com:443 < /dev/null 2> /dev/null \ | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > conjur.pem -
Verify.pem and convert to .dem format:
$ openssl x509 -outform der -in conjur.pem -out conjur-default.der -
Load the Conjur TLS certificate into Java's certificate authority (CA) keystore.
$ JRE_HOME=/opt/snaplogic/pkgs/jdk-11.0.17+8-jre $ sudo -E $JRE_HOME/bin/keytool -importcert \ -alias conjur-myConjurAccount \ -keystore "$JRE_HOME/lib/security/cacerts" \ -storepass changeit \ -file ./conjur-myConjurAccount.der
-
Retrieve the Conjur TLS certificate using OpenSSL:
-
Set up the required environment variables or system properties.
Note:
- If you set environment variables, they will override the corresponding settings in the
secrets-config.jsonfile. - If the same setting is defined as both an environment variable and a system property, the system property value has precedence.
Environment variable or system property Description CONJUR_AUTO_UPDATE_TOKEN Required. Must be set to true.At a command line, run:set system level CONJUR_AUTO_UPDATE_TOKEN: trueCONJUR_APPLIANCE_URL The endpoint URL for Conjur. If you are connecting to a Conjur Enterprise environment configured for high availability,- Use the URL of the master load balancer if you intend to perform read and write operations.
- Use the URL of a follower load balancer if you intend to perform read-only operations.
CONJUR_ACCOUNT The account you used to set up Conjur. CONJUR_AUTHN_LOGIN Your Conjur user/host identity. CONJUR_AUTHN_API_KEY The API key or password for your Conjur user/host. CONJUR_AUTHN_URL Alternate authentication endpoint. By default,
CONJUR_APPLIANCE_URLis used with an API key. You can set upCONJUR_AUTHN_URLto use with a password.To set up system properties at a command line:$ java -jar myConjurClient.jar \ -DCONJUR_APPLIANCE_URL=https://conjur.myorg.com/api \ -DCONJUR_ACCOUNT=myorg \ -DCONJUR_AUTHN_LOGIN=host/myhost.example.com \ -DCONJUR_AUTHN_API_KEY=xxxxxxxxxxxxxxxxxxxxxx - If you set environment variables, they will override the corresponding settings in the
- Restart the JCC service.