Vault Conjur Synchronizer

Vault Conjur Synchronizer 10.5 supports Conjur Enterprise v.4 and above

 

This section contains documentation for Vault Conjur Synchronizer 10.5. For documentation of prior versions, see Prior Releases.

CyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur expands the CyberArk Privileged Access Security to the DevOps space and to modern and dynamic environments. Secrets that are stored and managed in the CyberArk Vault can now be shared with Conjur and used via its clients, APIs and SDKs to enhance security and reduce risks for the DevOps environments, including CI/CD pipeline, containerized applications, and cloud platforms.

The integration between the Enterprise Password Vault ® (EPV) and Conjur provides Security, IT, and DevOps teams with a common platform to enforce privileged access security policies on all platforms - On Premise/Cloud/DevOps - to form a consistent, unified enterprise-wide PAS Program.

Solution benefits

CyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur provides the following benefits:

  • Enables CyberArk customers who store and manage their secrets in the Enterprise Password Vault ® (EPV) to benefit from Conjur's capabilities to provide secrets in dynamic and ephemeral environments and containers.

  • Enable central policy enforcement for DevOps use cases, such as rotation, monitoring, and auditing.

How does it work?

  1. Vault Admin creates LOB users and grants them ownership to specific safes. These LOBs facilitate the syncing of accounts to Conjur.

  2. The CyberArk Vault-Conjur Synchronizer service (Synchronizer) retrieves the accounts for these LOBs.

  3. The Synchronizer generates a Conjur policy for these LOBs that contains the secrets defined as variables, and loads them to Conjur.

  4. The Synchronizer syncs the accounts to Conjur as Conjur variables.

  5. The Conjur LOB Admin creates and loads a Conjur policy that delegates users and hosts permissions to the variables.

    During each sync interval, the Synchronizer repeats step 2 and, if needed, steps 3 and 4.

Synchronizer Flow

The Synchronizer syncs secrets from accounts in the root folder of safes that are owned by the LOB user.

The Synchronizer supports most account types. To learn more about single and dual accounts, see Accounts and Safes

 

Accounts used on Service Account platforms are not synced.

In each sync interval the following steps are taken:

  1. The Synchronizer user retrieves all LOB User accounts from the ConjurSync safe.

    If there is a new LOB, generate the policy and load it to Conjur.

    • For Conjur v4 EE only: Save the policy to a folder named ConjurPolicies.

    • Each Vault account is represented in Conjur by the following variables:

      Variable

      Required

      password

      Yes

      username

      No

      For example:

      Account

      Variable representation

      Single account

      (Vault_Name/Safe1/Root/Account1)

      Variable name: Vault_Name/lob_name/Safe1/Account1/username
      Has the following annotations:
      cyberark-vault: true
      cyberark-vault/accounts: Vault_Name/Safe1/Account1
      Variable name: Vault_Name/lob_name/Safe1/Account1/password
      Has the following annotations:
      cyberark-vault: true
      cyberark-vault/accounts: Vault_Name/Safe1/Account1

      Dual account

      (Vault_Name/Safe1/Root/Account1, Vault_Name/Safe1/Root/Account2)

      Variable name: Vault_Name/lob_name/Safe1/virtual_user_name/username
      Has following annotations:
      cyberark-vault: true
      cyberark-vault/accounts: Vault_Name/Safe1/Account1, Vault_Name/Safe1/Account2
      cyberark-vault/dual-account: true Variable name: Vault_Name/lob_name/Safe1/virtual_user_name/password Has following annotations:
      cyberark-vault: true
      cyberark-vault/accounts: Vault_Name/Safe1/Account1, Vault_Name/Safe1/Account2
      cyberark-vault/dual-account: true

      Non-CPM managed account

      Same as single account

     

    In a Dual account, the virtual_user_name of the Dual Account group must be unique per safe. For example, if a user has two Unix environments with Dual Account configured, then the two environments cannot have the same virtual_user_name.

     

    If multiple LOBs own the same safe, a set of variables representing the username and password are created for each LOB in Conjur.

  2. The Synchronizer runs in intervals as defined in the VaultConjurSynchronizer.exe.config file in the SYNC_INTERVAL_TIME parameter. This process syncs the LOB owned safes with Conjur. The default value for SYNC_INTERVAL_TIME is 300 seconds (5 minutes).

    If the syncing process for this LOB takes longer than the SYNC_INTERVAL_TIME, the next sync interval for this LOB is skipped.

  3. If an account is added to a synced safe, or if a new safe was added or assigned to the LOB User, then the new accounts will be synced to Conjur in the next sync interval. The Synchronizer will first refresh changes in currently synced secrets and then will add the new accounts to Conjur, so ongoing changes will be updated as soon as possible.

System requirements

Component Requirement

PAS

Version 9.5 and up

For details, see the Privileged Access Security Installation Guide.

Conjur

Version 5 Enterprise Edition: from 5.1.1 EE and up:

For installation details, see https://docs.conjur.org/Latest/en/Content/Get%20Started/install-enterprise.htm.

 

Version 4 Enterprise Edition: from 4.9.8 and up:

For installation details, see https://developer.conjur.net/server_setup/platforms/docker.html.

Conjur CLI

Conjur v4 EE: CLI version 4.29.0 and up, or the latest cyberark/conjur-cli:4 Docker image.

Conjur v5 EE: Recommended install (not mandatory): cyberark/conjur-cli:5 Docker image.

For more information about Conjur CLI Docker images, see https://hub.docker.com/r/cyberark/conjur-cli/

Synchronizer

  • Windows Server 2016

  • Windows Server 2012 R2

  • .Net Framework 4.5.2

  • Powershell 4

Hardware requirements

Component

 CPU # of cores

RAM (GB)

Conjur server

4

Conjur Container: 8

Conjur host machine: 16 or greater

Synchronizer

4

8

Licensing

The Synchronizer and the LOB users are APPProvider users and require appropriate licenses.

Audits

Audits records are stored in the Enterprise Password Vault ® (EPV) and in Conjur. The Synchronizer does not maintain audit records.