Professional Documents
Culture Documents
CyberArk Conjur
PVWA
Vault Enterprise
CP
On-Premises
Data Center Hybrid Cloud
5
• Generate Conjur policy for LOBs Generate and load LOB policy 3 4 Continuously sync secrets
Synchronizer repeats step 2 during each interval and, if needed, steps 3 and 4
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
What is the Line-of-Business User?
A line of business (LOB) represents a business group that requires access to secrets
from the Vault. This enables segregation of duty (SoD). The LOB facilitates the syncing
of accounts to Conjur.
• Create LOB User using PrivateArk Client Utility → LOBUser Safe Permissions
LOBUser_<name>
Role Permission
• Vault Synchronizer supports up to 10 different LOB Access Use accounts
Users Retrieve accounts
List accounts
• Add LOB User to each Safe that stores Secrets to Workflow Access Safe without confirmation
synchronize into Conjur
• Configure safe permissions listed More information on LOB and how to create it:
Line of Business (LOB) 7
CONJUR ENTERPRISE CONJUR ENTERPRISE CONJUR ENTERPRISE CONJUR ENTERPRISE CONJUR ENTERPRISE
Safe 1 Safe 2 Safe 3 Safe 4 Safe 1 Safe 2 Safe 3 Safe 4 Safe 1 Safe 1 Safe 1
containers
Followers
DEPLOYMENT OPTIONS:
CUSTOMER PREMISES
11
14
15
17
VARIABLE ANNOTATIONS
cyberark-vault: 'true’
• Singular Accounts
cyberark-vault/accounts: VaultName/SafeName/account
• Dual Accounts
cyberark-vault/accounts: 18
vaultName/safeName/account1,
vaultName/safeName/account2
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
<VaultName> Vault name / policy branch declared during Vault Synchronizer installation
<LOBUser> LOB Username created during Vault Synchronizer installation (e.g. LOBUser_authn)
<VaultName>/<LOBUser Username Conjur variable and secret value synchronized from Vault account.
>/<SafeName>/<Object
EXAMPLE:
>/username
vault01/authn/app-app01-summon/app01/username
<VaultName>/<LOBUser Password Conjur variable and secret value synchronized from Vault account.
>/<SafeName>/<Object
EXAMPLE:
>/password 19
vault01/authn/app-app01-summon/app01/password
app01-db01
app01-db01 app01-db02
VirtualUserName=app01 VirtualUserName=app01 LOBUser_authn
Status=Active Status=Inactive host/Sync_COMP01A
Index=1 Index=2
Members Members
LOBUser_authn Sync_COMP01A
Sync_COMP01A
2. Vault Admins will work with DevOps team to onboard the secrets that need to be synchronized over to Conjur. LOBUser e.g. LOBUser_authn
will be added to the safe as member; allowing synchronizer to identify which secrets will be sync over to Conjur.
20
3. By default, every 300 secs (5mins), the Synchronizer will communicate with the Vault using Sync_COMP01A to grab all relevant the
secrets credentials and sync over to Conjur using host/Sync_COMP01A. For Dual account setup, the Active account will be sync over.
cyberark.com
root
Owner
of delegation <ConjurAccount>:group:<VaultName>/<LOBUser>/<SafeName>-admins (owner)
Owner
of <ConjurAccount:>:group:<VaultName>/<LOBUser>/<SafeName>/delegation/
consumers
Variable – vault01/authn/app-app01-summon/app01/username
acme:variable:vault01/authn/app-app01-summon/app01/username
acme:group:vault01/authn/app-app01-summon/delegation/consumers [read, execute]
Variable – vault01/authn/app-app01-summon/app01/username
acme:variable:vault01/authn/app-app01-summon/app01/username 22
• Conjur Policy
authn acme:group:vault01/authn-admins (owner)
<LOBUser>
• Policy Load Syntax>
conjur policy load -b root -f
<VaultName>-
<LOBUser>.yml
24
<LOBUser>-<SafeName>.yml
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
Safe Delegation policy
• Delegation Policy defines a delegation policy and
consumers group. The consumers group is
automatically granted read and execute vault01
permissions on all variables synchronized to
Conjur within the Safe. authn
26
<VaultName>- Owner
<LOBUser>-<SafeName>-delegation.yml of vault01/authn/app-app01-
summon/delegation/consumers
27
28
Sync_COMP01A
1. When the password rotation cycle reaches, CPM picks up the task and performs the following:
• Account app01-db01 status will be changed to Inactive
• Account app02-db02 status will be changed to Active
• App01Rotation group CurrInd is set to 2
• CPM will sleep based on the parameter GracePeriod set on the rotation group which is 15 mins (3 x Sync Time)
2. Upon the next sync, Synchronizer communicates with the vault and retrieves the account changes and updates Conjur Cluster with app01-db02
credentials. Every application request from now onwards will be returned with app01-db02 password / secrets. 29
3. After 15 mins of wait, CPM will now proceed to rotate the password of account app01-db01 which is now Inactive.
cyberark.com
Vault Synchronizer Logs
CyberArk Vault Synchronizer log messages
are written into log files and into the Windows
Event log.
Vault Synchronizer logs are found in
<LOGS_FOLDER_PATH>. The logs folder
contains the trace log files that track the Vault
Synchronizer activity. The main log file is
called VaultConjurSynchronizer.log.
You can configure the log folder path and log
level in the
VaultConjurSynchronizer.exe.config file.
Please refer to the online docs for more
information and how to raise the logs debug
levels: Vault Synchronizer logs
31
32
33