Vault Synchronizer

This lesson provides an overview of the Vault

Synchronizer and how it integrates with Conjur.

Upon completion of this lesson the participant will

be able to:

► Learn how to integrate CyberArk Privileged

Lesson Access Manager with Conjur using Vault
Synchronizer

Objectives ► Gain hands-on experience installing and

configuring Vault Synchronizer

► Gain hands-on experience with Conjur policy

management for Vault Synchronizer
2

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Vault Synchronizer
Overview

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Enable CyberArk customers who store and
manage their secrets in CyberArk Privileged
Access Manager:
• Share secrets into Conjur
• Define / configure once and then secrets
automatically synchronize to Conjur
• Enable use of Conjur APIs, clients, and
Integrations in dynamic and ephemeral

Integration environments and containers

• Enable central policy enforcement for DevOps
Objectives use cases, including rotation, monitoring,
administration, and secrets retrieval
4

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Consistent, Unified Enterprise-wide PAS Program
MULTI-PERSONA UI

CyberArk Conjur
PVWA
Vault Enterprise

CP

Privileged CPM PSM, OPM CP, CCP, Conjur

Threat ASCP Enterprise
Analytics

On-Premises
Data Center Hybrid Cloud
5

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Vault Amin CYBERARK VAULT
• Create Line of Business User
1 Safe 1 Safe 2 Safe 3
(LOB) in Vault and grant Safe
Membership for all Accounts to Grant Safe ownership
to LOB users
sync to Conjur
2 Get accounts per LOB
• Synchronizer retrieves Accounts for
LOBs Synchronizer

• Generate Conjur policy for LOBs Generate and load LOB policy 3 4 Continuously sync secrets

and loads into Conjur

CONJUR ENTERPRISE Conjur Admin
• Syncs the Accounts to Conjur as 5
Variables
Load follow up policy
• Conjur Admin creates and loads
Policy to delegate Users / Hosts
NOTE:
permissions to Variables Both the Username and Password for each account will be synchronized into Conjur
and stored as separate Secret variable values. 6

Synchronizer repeats step 2 during each interval and, if needed, steps 3 and 4
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
 What is the Line-of-Business User?
A line of business (LOB) represents a business group that requires access to secrets
from the Vault. This enables segregation of duty (SoD). The LOB facilitates the syncing
of accounts to Conjur.

• Create LOB User using PrivateArk Client Utility → LOBUser Safe Permissions
LOBUser_<name>
Role Permission
• Vault Synchronizer supports up to 10 different LOB Access Use accounts
Users Retrieve accounts
List accounts
• Add LOB User to each Safe that stores Secrets to Workflow Access Safe without confirmation
synchronize into Conjur

• Configure safe permissions listed More information on LOB and how to create it:
Line of Business (LOB) 7

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

Vault Synchronizer: System Requirements
VAULT & CONJUR VAULT SYNCHRONIZER
REQUIREMENTS REQUIREMENTS

 Privileged Access Manager  Windows Server 2019, Server

(PAM) 2016, or Server 2012 R2

 Privilege Cloud  .NET Framework 4.8 (Exact

version)
 Conjur Enterprise
 PowerShell 4.x or PowerShell 5.x
 PowerShell Script Execution
Policy enabled
 Hardware: minimum of 4 CPU
cores / 8 GB memory

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Single Vault → Conjur Multiple Vaults → Conjur Single Vault → Multiple Conjurs

CYBERARK VAULT CYBERARK VAULT CYBERARK VAULT CYBERARK VAULT

Safe 1 Safe 2 Safe 3 Safe 4 Safe 1 Safe 2 Safe 1 Safe 2 Safe 1 Safe 2 Safe 3 Safe 4

Synchronizer Synchronizer Synchronizer

CONJUR ENTERPRISE CONJUR ENTERPRISE CONJUR ENTERPRISE CONJUR ENTERPRISE CONJUR ENTERPRISE
Safe 1 Safe 2 Safe 3 Safe 4 Safe 1 Safe 2 Safe 3 Safe 4 Safe 1 Safe 1 Safe 1

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 CyberArk
Privilege Cloud
Service
Privilege Cloud with Conjur

Enables CyberArk customers who store and

manage their secrets in Privilege Cloud to benefit Synchronizer

from Conjur's capabilities to provide secrets in

dynamic and ephemeral environments and Dynamic Access Provider

containers
Followers

Enable central policy enforcement for DevOps

DEVOPS PIPELINE AND TARGET RESOURCES
use cases, such as rotation, monitoring, and
auditing
Devops tools Cloud Web Apps Servers Databases
Services

DEPLOYMENT OPTIONS:
CUSTOMER PREMISES

• Single Privilege Cloud → Conjur

• Multiple Privilege Clouds → Conjur 10

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Installation Mode Description

An interactive user experience where you are prompted for

Interactive
information throughout the installation process.

The installation procedure is initiated either by a user or by a script,

Silent and uses information from a configuration file, silent.ini, instead of
user interaction.

11

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Vault Synchronizer
(v11.4 or later)
Installation
12

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 1. Trusted certificate(s) for PVWA and Conjur.
Ensure that these CA certificate(s) are added
to Vault Synchronizer machine
LocalMachine\Root certificate store.
2. Download and unpack the installation
package to <VaultSync> directory
3. Open Windows PowerShell as an
administrator
4. Change working directories to
C:\<VaultSync>\Installation
5. Run the Vault Synchronizer Installation Script
.\V5SynchronizerInstallation.ps1
13

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com

6. Input the proper configuration settings when
prompted by the installation script.
If these parameters are valid, the script should
display the following results at this point:
Copyright © 2023 CyberArk Software Ltd. All rights reserved.
Specify CyberArk Vault Synchronizer installation target
path, default: [C:\Program Files\CyberArk\Synchronizer]:
<install-directory-vaultsynchronizer>
Specify an alias for the Vault:
<cyberark-vault-name>
Enter the PVWA/Privilege Cloud Portal URL (for example:
https://cyberarkvault.mycompany.com):
<cyberark-pvwa-url>
Enter the Vault IP address. If the Vault has multiple
addresses, list them separated by commas and without
spaces:
<cyberark-vault-ip_addr>
Enter the Vault port, default: [1858]:
1858
Specify the Vault admin username:
<cyberark-admin-user-name>
Specify the Vault user's password (will not be echoed):
<cyberark-admin-user-password>
Specify the name of the Safe for storing accounts used to
manage this Synchronizer:
<safename-to-be-created>
14
cyberark.com
cyberark.com
 Enter the Conjur server hostname and port, where port
is optional. Use the format hostname[:port]):
<conjur-cluster-dns>
Enter the Conjur account name:
6. Input the proper configuration settings when <account-name>
prompted by the installation script. Enter the Conjur username, default: [admin]:
<conjur-admin-user-name>
If these parameters are valid, the script should
Enter the Conjur API Key or password (will not be
complete with the following results: echoed):
<conjur-admin-user-password>
Specify a name for the LOB:
<lob-user-name>
Enter the name of the CyberArk Vault platform used by
the LOB account [CyberArk Vault]:
<vault-platform-name>
or hit <Enter> to accept default platform

15

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Vault Synchronizer Post-Install (v11.4 or
later):
1. Enable Vault Synchronizer Cleanup that
removes unwanted data from Conjur when it
is not available in the Vault.
– Open VaultConjurSynchronizer.exe.config
– Set SYNC_CLEANUP value to true
2. Start CyberArk Vault-Conjur Synchronizer
Windows Service
3. Synchronizer Vault Accounts to Conjur
– Create Vault Safe
– Add LOBUser to Safe Membership
– Onboard Vault Secrets to Safe
4. Add Additional LOBUser Vault accounts as 16

required using GenerateLOBs.ps1

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
 Vault Synchronizer:
Conjur Policy

17

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 VAULT SECRETS
Username: <vault>/<lob>/<safe>/<object>/username
Password: <vault>/<lob>/<safe>/<object>/password

Vault Synchronizer Policy Overview

Vault Vault Synchronizer Conjur
• Vault account username & password values synchronized as individual
variable resources by default
• Additional account properties are supported but must be enabled in Vault
Synchronizer configuration settings

VARIABLE NAME ELEMENTS

<VaultName>/<LOBUser>/<SafeName>/<Object>/<Variable>

EXAMPLE VARIABLE NAME SYNCHRONIZED

/cyberark_vault/prod/myapp/dbaccount/username
/cyberark_vault/prod/myapp/dbaccount/password

VARIABLE ANNOTATIONS
cyberark-vault: 'true’
• Singular Accounts
cyberark-vault/accounts: VaultName/SafeName/account
• Dual Accounts
cyberark-vault/accounts: 18

vaultName/safeName/account1,
vaultName/safeName/account2
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
 <VaultName> Vault name / policy branch declared during Vault Synchronizer installation

<LOBUser> LOB Username created during Vault Synchronizer installation (e.g. LOBUser_authn)

<SafeName> Safe name (recommended to include application name)

Delegation consumers group created by Vault Synchronizer. By default, this group is

<VaultName>/<LOBUser granted [read, execute] rights to the secrets synchronized to Conjur.
>/<SafeName>/delegat
ion/consumers EXAMPLE:
vault01/authn/app-app01-summon/delegation/consumers

<VaultName>/<LOBUser Username Conjur variable and secret value synchronized from Vault account.
>/<SafeName>/<Object
EXAMPLE:
>/username
vault01/authn/app-app01-summon/app01/username

<VaultName>/<LOBUser Password Conjur variable and secret value synchronized from Vault account.
>/<SafeName>/<Object
EXAMPLE:
>/password 19
vault01/authn/app-app01-summon/app01/password

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Standby

app01-db01

host/Sync_COMP01A Leader (Master)

Synchronizer LB
Vault01
Default sync every 300 secs (5mins) conjur-cluster.acme.corp

app-app01-summon RotationGroup=App01Rotation\ ConjurSync Standby

app01-db01 app01-db02
VirtualUserName=app01 VirtualUserName=app01 LOBUser_authn
Status=Active Status=Inactive host/Sync_COMP01A
Index=1 Index=2

Members Members
LOBUser_authn Sync_COMP01A

Sync_COMP01A

1. Part of the Synchronizer setup, the following will be created:

• Safe ConjurSync will be created
• LOB user e.g. LOBUser_authn Vault user and Sync_<hostname> e.g. Sync_COMP01A Conjur Host ID will be onboarded into this safe
• Vault user Sync_<hostname> e.g. Sync_COMP01A will be created and added as a member to the safe

2. Vault Admins will work with DevOps team to onboard the secrets that need to be synchronized over to Conjur. LOBUser e.g. LOBUser_authn
will be added to the safe as member; allowing synchronizer to identify which secrets will be sync over to Conjur.
20

3. By default, every 300 secs (5mins), the Synchronizer will communicate with the Vault using Sync_COMP01A to grab all relevant the
secrets credentials and sync over to Conjur using host/Sync_COMP01A. For Dual account setup, the Active account will be sync over.
cyberark.com
 root

<VaultName> <ConjurAccount>:group:<VaultName>-admins (owner)

<LOBUser> <ConjurAccount>:group:<VaultName>/<LOBUser>-admins (owner)

<SafeName> <ConjurAccount>:policy:<VaultName>/<LOBUser> (owner)

Owner
of delegation <ConjurAccount>:group:<VaultName>/<LOBUser>/<SafeName>-admins (owner)
Owner
of <ConjurAccount:>:group:<VaultName>/<LOBUser>/<SafeName>/delegation/
consumers

Variable – <VaultName>/<LOBUser>/<SafeName>/<VirtualUsername | Object>/username

<ConjurAccount>:variable:<VaultName>/<LOBUser>/<SafeName>/<VirtualUsername | Object>/username
<ConjurAccount>:group:<VaultName>/<LOBUser>/<SafeName>/delegation/consumers [read, execute]

Variable – <VaultName>/<LOBUser>/<SafeName>/<VirtualUsername | Object>/password

<ConjurAccount>:variable:<VaultName>/<LOBUser>/<SafeName>/<VirtualUsername | Object>/password 21

<ConjurAccount>:group:<VaultName>/<LOBUser>/<SafeName>/delegation/consumers [read, execute]

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Example
root

vault01 acme:group:vault01-admins (owner)

authn acme:group:vault01/authn-admins (owner)

app-app01-summon acme:policy:vault01/authn (owner)

Owner
of delegation acme:group:vault01/authn/app-app01-summon-admins (owner)
Owner
of acme:group:vault01/authn/app-app01-summon/delegation/consumers

Variable – vault01/authn/app-app01-summon/app01/username
acme:variable:vault01/authn/app-app01-summon/app01/username
acme:group:vault01/authn/app-app01-summon/delegation/consumers [read, execute]

Variable – vault01/authn/app-app01-summon/app01/username
acme:variable:vault01/authn/app-app01-summon/app01/username 22

acme:group:vault01/authn/app-app01-summon/delegation/consumers [read, execute]

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Vault Policy & Vault Admins Group
• During the Vault Synchronizer installation, Conjur
policy is loaded and creates the following:
• Conjur Group – vault admins group with a Vault
Synchronizer host in it
<VaultName>-admins
• Conjur Policy – policy owned by this group
<VaultName>
vault01 acme:group:vault01-admins (owner)
• Synchronizer Host
Sync_<sync_server_hostname> Member
acme:host:Sync_COMP01A
• Policy Load Syntax
conjur policy load -b root -f
<VaultName>.yml 23

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 LOBUser Policy & LOB Admins Group
• For each LOB, Vault Synchronizer creates an
admins group, <LOBUser>-admins, and a policy
owned by this group.
• Conjur Group
<LOBUser>-admins vault01

• Conjur Policy
authn acme:group:vault01/authn-admins (owner)
<LOBUser>
• Policy Load Syntax>
conjur policy load -b root -f
<VaultName>-
<LOBUser>.yml
24

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Safe Policy & Safe Admins Group
• For each non-empty Safe owned by an LOBUser, Vault
Synchronizer creates its own admins group and sub-policy. In
this sub-policy, Vault Synchronizer creates a delegation
policy owned by the Safe's admins group, which in turn
creates a consumers group.
• The responsibility of the <SafeName>-admins group vault01
members is to manage members of the consumers group.

• Conjur Group authn

<SafeName>-admins
app-app01-summon
• Conjur Policy
Privileges given:
<SafeName>
acme:group:vault01/authn/app-
app01-summon-admins
• Policy Load Syntax [create, read, update]
conjur policy load -b root -f
<VaultName>- 25

<LOBUser>-<SafeName>.yml
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
 Safe Delegation policy
• Delegation Policy defines a delegation policy and
consumers group. The consumers group is
automatically granted read and execute vault01
permissions on all variables synchronized to
Conjur within the Safe. authn

• Conjur Policy app-app01-summon

delegation
delegation
• Policy Load Syntax
conjur policy load -b root -f
acme:group:vault01/authn/app-
<VaultName>- app01-summon-admins
<LOBUser>-<SafeName>-delegation.yml (owner)

26

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Safe Consumers Group
• Consumers Policy defines a consumers group.
This group is automatically granted read and
execute permissions on all variables synchronized vault01
to Conjur within the Safe.
authn
• Conjur Group
consumers app-app01-summon

• Policy Load Syntax

conjur policy load -b root -f delegation

<VaultName>- Owner
<LOBUser>-<SafeName>-delegation.yml of vault01/authn/app-app01-
summon/delegation/consumers

27

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
Vault Synchronizer: Variable Example

28

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Standby

After 15 mins app01-db01

host/Sync_COMP01A Leader (Master)

Central Policy
app01-db01
Manager (CPM) Vault Synchronizer LB
Default sync every 300 secs (5mins) conjur-cluster.acme.corp
app-app01-summon RotationGroup=App01Rotation
Standby
app01-db01 app01-db02 app01-db02
VirtualUserName=app01 VirtualUserName=app01
Status=Inactive Status=Active
Index=1 Index=2 App
Database
Members
LOBUser_authn

Sync_COMP01A

1. When the password rotation cycle reaches, CPM picks up the task and performs the following:
• Account app01-db01 status will be changed to Inactive
• Account app02-db02 status will be changed to Active
• App01Rotation group CurrInd is set to 2
• CPM will sleep based on the parameter GracePeriod set on the rotation group which is 15 mins (3 x Sync Time)

2. Upon the next sync, Synchronizer communicates with the vault and retrieves the account changes and updates Conjur Cluster with app01-db02
credentials. Every application request from now onwards will be returned with app01-db02 password / secrets. 29

3. After 15 mins of wait, CPM will now proceed to rotate the password of account app01-db01 which is now Inactive.
cyberark.com
 Vault Synchronizer Logs
CyberArk Vault Synchronizer log messages
are written into log files and into the Windows
Event log.
Vault Synchronizer logs are found in
<LOGS_FOLDER_PATH>. The logs folder
contains the trace log files that track the Vault
Synchronizer activity. The main log file is
called VaultConjurSynchronizer.log.
You can configure the log folder path and log
level in the
VaultConjurSynchronizer.exe.config file.
Please refer to the online docs for more
information and how to raise the logs debug
levels: Vault Synchronizer logs

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Summary

31

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 In this session we discussed:

• Integrating Conjur with CyberArk

Privileged Access Manager using Vault
Synchronizer

• Vault Synchronizer Policy Management

Lab Section Exercise

32

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Thank You

33

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com