Vault Conjur Synchronizer

Vault Conjur Synchronizer 10.8 supports Conjur Enterprise v.5x

 

This section contains documentation for Vault Conjur Synchronizer 10.8. For documentation of prior versions, see Prior Releases.

CyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur expands the CyberArk Privileged Access Security to the DevOps space and to modern and dynamic environments. Secrets that are stored and managed in the CyberArk Vault can now be shared with Conjur and used via its clients, APIs and SDKs to enhance security and reduce risks for the DevOps environments, including CI/CD pipeline, containerized applications, and cloud platforms.

The integration between the Enterprise Password Vault ® (EPV) and Conjur provides Security, IT, and DevOps teams with a common platform to enforce privileged access security policies on all platforms - On Premise/Cloud/DevOps - to form a consistent, unified enterprise-wide PAS Program.

Solution benefits

CyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur provides the following benefits:

  • Enables CyberArk customers who store and manage their secrets in the Enterprise Password Vault ® (EPV) to benefit from Conjur's capabilities to provide secrets in dynamic and ephemeral environments and containers.

  • Enable central policy enforcement for DevOps use cases, such as rotation, monitoring, and auditing.

How does it work?

  1. Vault Admin creates LOB users and grants them ownership to specific safes. These LOBs facilitate the syncing of accounts to Conjur.

  2. The CyberArk Vault-Conjur Synchronizer service (Synchronizer) retrieves the accounts for these LOBs.

  3. The Synchronizer generates a Conjur policy for these LOBs that contains the secrets defined as variables, and loads them to Conjur.

  4. The Synchronizer syncs the accounts to Conjur as Conjur variables.

  5. The Conjur Admin creates and loads a Conjur policy that delegates users and hosts permissions to the variables.

    During each sync interval, the Synchronizer repeats step 2 and, if needed, steps 3 and 4.

Synchronizer Flow

The Synchronizer syncs secrets from accounts in the root folder of safes that are owned by the LOB user.

The Synchronizer supports most account types. To learn more about single and dual accounts, see Accounts and Safes.

 

Accounts used on Service Account platforms are not synced.

In each sync interval the following steps are taken:

  1. The Synchronizer user retrieves all LOB User accounts from the ConjurSync safe.

    If there is a new LOB, generate the policy and load it to Conjur.

    Each Vault account is represented in Conjur by the following variables:

    Variable

    Required

    password

    Yes

    username

    No

    For example:

    Account

    Variable representation

    Single account

    (Vault_Name/Safe1/Root/Account1)

    Variable name: Vault_Name/lob_name/Safe1/Account1/username
    Has the following annotations:
    cyberark-vault: true
    cyberark-vault/accounts: Vault_Name/Safe1/Account1
    Variable name: Vault_Name/lob_name/Safe1/Account1/password
    Has the following annotations:
    cyberark-vault: true
    cyberark-vault/accounts: Vault_Name/Safe1/Account1

    Dual account

    (Vault_Name/Safe1/Root/Account1, Vault_Name/Safe1/Root/Account2)

    Variable name: Vault_Name/lob_name/Safe1/virtual_user_name/username
    Has following annotations:
    cyberark-vault: true
    cyberark-vault/accounts: Vault_Name/Safe1/Account1, Vault_Name/Safe1/Account2
    cyberark-vault/dual-account: true Variable name: Vault_Name/lob_name/Safe1/virtual_user_name/password Has following annotations:
    cyberark-vault: true
    cyberark-vault/accounts: Vault_Name/Safe1/Account1, Vault_Name/Safe1/Account2
    cyberark-vault/dual-account: true

    Non-CPM managed account

    Same as single account

     

    In a Dual account, the virtual_user_name of the Dual Account group must be unique per safe. For example, if a user has two Unix environments with Dual Account configured, then the two environments cannot have the same virtual_user_name.

     

    If multiple LOBs own the same safe, a set of variables representing the username and password are created for each LOB in Conjur.

  2. The Synchronizer runs in intervals as defined in the VaultConjurSynchronizer.exe.config file in the SYNC_INTERVAL_TIME parameter. This process syncs the LOB owned safes with Conjur. The default value for SYNC_INTERVAL_TIME is 300 seconds (5 minutes).

    If the syncing process for this LOB takes longer than the SYNC_INTERVAL_TIME, the next sync interval for this LOB is skipped.

  3. If an account is added to a synced safe, or if a new safe was added or assigned to the LOB User, then the new accounts will be synced to Conjur in the next sync interval. The Synchronizer will first refresh changes in currently synced secrets and then will add the new accounts to Conjur, so ongoing changes will be updated as soon as possible.

System requirements

Component Requirement

Synchronizer

  • Windows Server 2016

  • Windows Server 2012 R2

  • .NET Framework 4.5.2

  • PowerShell 4

PAS

Version 9.7 and later

For details, see the Privileged Access Security Installation Guide.

Conjur Enterprise

Version 10.8 and later

For installation details, see Install Conjur Enterprise.

Conjur CLI

Recommended install (not mandatory): cyberark/conjur-cli:5 Docker image.

For details, see Conjur CLI.

Hardware requirements

Component

 CPU # of cores

RAM (GB)

Synchronizer

4

8

Conjur

Conjur Container: 4

Conjur host machine: 4 or greater

Conjur Container: 8

Conjur host machine: 16 or greater

Licensing

The Synchronizer and the LOB users are APPProvider users and require appropriate licenses.

Audits

Audits records are stored in the Enterprise Password Vault ® (EPV) and in Conjur. The Synchronizer does not maintain audit records.

 
10.5