CyberArk: Configure Groundplex Nodes

Overview

A secrets-config.json node configuration file provides the information that the Groundplex nodes need to access secrets.

Permissions to access, update, and restart the Groundplex nodes

In the node configuration file, you will enter the information you collected when setting up the Conjur environment.

Create a secrets-config.json file.

Copy and paste the following JSON structure and replace the placeholders with the appropriate values.

 {
  "CYBERARK" : [
    {
      "alias": "config-name",
      "project_space": "/snaplogic/shared",
      "basePath": "https://ip-address:8443",
      "account": "myConjurAccount",
      "userName": "username",
      "apiKey": "apiKey"
    },
    ...
  ]
}


`alias`	A unique name for the configuration object in this file.
`project_space`	Optional. If specified, restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>[/<project_name>] where the <project_name> is optional. Example: `/<org>/<project_space>/<project>, /<org>/shared, /<org>/<project_space>/shared`
basePath	The endpoint URL for Conjur.
account	The account you used to set up Conjur.
userName	Your Conjur user/host identity.
apiKey	The API key or password for your Conjur user/host.

For every Conjur environment, you need a configuration object inside the CYBERARK array with the appropriate values.

Save the file.

Configure each Groundplex node.

Copy the secrets-config.json file to the /etc/snaplogic directory.
Add a TLS certificate.
A Conjur self-signed TLS certificate was automatically generated when you configured the Leader server of your Conjur environment. You can also use certificates from third-party issuers.
1. Retrieve the Conjur TLS certificate.
  1. At a command line on a machine that has OpenSSL and access to Conjur, run:
```
 $ openssl s_client -showcerts -servername myconjurserver.com \
  -connect myconjusrserver.com:443 < /dev/null 2> /dev/null \
  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > conjur.pem
```
  2. Verify that conjur.pem was created and that it contains the encoded certificate.
2. Convert the .pem file into the .dem format.
```
 $ openssl x509 -outform der -in conjur.pem -out conjur-default.der
```
3. Load the Conjur TLS certificate into Java's certificate authority (CA) keystore.
```
 $ sudo -E keytool -importcert \
  -alias conjur-myConjurAccount \
  -keystore "$JRE_HOME/lib/security/cacerts" \
  -storepass changeit \
  -file ./conjur-myConjurAccount.der
```

Set up the required environment variables or system properties.

Note: If the same setting is defined as both an environment variable and a system property, the system property value has precedence.


Environment variable or system property	Description
CONJUR_AUTO_UPDATE_TOKEN	Required. Must be set to `true`. At a command line, run: `set system level CONJUR_AUTO_UPDATE_TOKEN: true`
CONJUR_APPLIANCE_URL	The endpoint URL for Conjur. If you are connecting to a Conjur Enterprise environment configured for high availability, Use the URL of the master load balancer if you intend to perform read and write operations. Use the URL of a follower load balancer if you intend to perform read-only operations.
CONJUR_ACCOUNT	The account you used to set up Conjur.
CONJUR_AUTHN_LOGIN	Your Conjur user/host identity.
CONJUR_AUTHN_API_KEY	The API key or password for your Conjur user/host.
CONJUR_AUTHN_URL	Alternate authentication endpoint. By default, `CONJUR_APPLIANCE_URL` is used with an API key. You can set up `CONJUR_AUTHN_URL` to use with a password.

To set up system properties at a command line:

 $ java -jar myConjurClient.jar \
  -DCONJUR_APPLIANCE_URL=https://conjur.myorg.com/api \
  -DCONJUR_ACCOUNT=myorg \
  -DCONJUR_AUTHN_LOGIN=host/myhost.example.com \
  -DCONJUR_AUTHN_API_KEY=xxxxxxxxxxxxxxxxxxxxxx

Restart the JCC service.
On Linux, /opt/snaplogic/bin/jcc.sh restart

Configure Snap accounts to connect to the secrets manager.