CONJUR FUNDAMENTALS

Installation

CyberArk Training
1
LESSON OBJECTIVES

This lesson provides installation overview for the Conjur Secrets Manager solution.
Upon completion of this lesson the participant will be able to:
• Learn the system requirements and prerequisites to install Conjur
• Learn how to install a high-availability Conjur Secrets Manager solution
• Learn how to verify system health

2
2
REQUIREMENTS

3
REQUIREMENTS: CONJUR SYSTEM

Conjur System Requirements

✓ Linux Host Operating System
✓ Docker Engine 1.13 or later
✓ Secure / Harden Linux based on industry
standards and Docker security guidance
✓ FIPS Compliance requires Docker Enterprise
19.x on RHEL 8.x

Conjur Software Distribution

✓ Packaged as Docker image
✓ AWS Amazon Machine Image (AMI) available
✓ Supports Leader (formerly Master), Standbys,
and Followers
4
REQUIREMENTS: CONJUR CLUSTER

Conjur Cluster Requirements

✓ Minimum Conjur Nodes
• 1 Leader (formerly Master)
• 2 Standbys
• 1 Follower (two recommended)

✓ Recommend deploying one Standby in the

same fault zone as the Leader, and the other
Standby in another remote fault zone
✓ One Standby must be configured for
synchronous replication to prevent data loss
✓ Auto-failover cluster automatically selects
synchronous Standby
✓ Followers typically deployed with load balancer
5
REQUIREMENTS: CLUSTER INFRASTRUCTURE

Cluster Infrastructure Requirements

Domain Names:
• Create fully qualified domain names (FQDN)
• Avoid functionality in names (i.e. Standby)
• DNS name must not contain an underscore ( _ )
Network:
• Configure level 4 load balancer
• Supports F5, AWS ELB, HAProxy, or other
• Used to coordinate PostgreSQL replication
• Must perform HTTP health checks
• Verify HTTPS (443) status on each node
• Or verify HTTP (444) status on each node
SSL Certificate:
• Self-signed certificates included by default
• Recommended to create third-party certificate

6
PORTS & PROTOCOLS

Cloud-Friendly Network Architecture

HTTPS (443)
Master
• Secure In-Transit Communication b/t DAP Master,
Standby Master(s), and Follower(s)
• REST API

HTTP (444) Standby Standby

• Health Check / Verify

PG-MAIN (5432)
• PostgreSQL Database Replication (Main Database)

PG-AUDIT (1999)
• PostgreSQL Database Replication (Audit/Logs) Follower Follower Follower

7
REQUIREMENTS: FOLLOWER INFRASTRUCTURE

Follower Infrastructure Requirements

Followers Purpose:
• Read-replica copy of Conjur Leader (Master)
• Server application secrets retrieval requests
• Based on “shared-nothing” architecture
Load Balancer:
• Placement in front of followers
• Distribute HTTPS traffic between followers
Recommendations:
• Start with minimum of 2 followers
• Multiple groups of followers can be deployed with
separate load balancers based on fault zones
• Auto-scale followers based on load based on
CPU utilization
➢ Scale-up when CPU usage beyond threshold
➢ Scale-down when CPU drops below threshold

8
REQUIREMENTS: CERTIFICATE

SSL Digital Certificate Requirements

Certificate Purpose:
• Secure communication between Conjur nodes
• Required for Conjur HA Cluster
Supported Types:
• Self-signed (included by default)
• Third-party signed (recommended)
Cluster Certificate:
• Shared certificate includes load balancer (CN)
and DNS names of each node (alternate names)
Followers Certificate:
• Shared certificate for all followers behind same
load balancer

i For more information refer to:

https://docs.cyberark.com

9
ARCHITECTURE: HIGHLY SCALABLE
Web App
App
Application Requests
Application Requests
TCP 443
TCP 443
Web App
App conjur-follower.corp.com

TCP 443, 5432, 1999

Follower Follower Follower Follower Asynchronous Replication

conjur-cluster.corp.com

TCP 443, 5432, 1999 TCP 443, 5432, 1999

Synchronous Asynchronous
Replication Replication

Standby Master Standby

10
TERMINOLOGY: CONJUR HIGH AVAILABILITY
Data is transferred from the active Leader (Master) to the Standbys and Followers using PostgreSQL
streaming replication. Streaming replication uses a continuous connection between the 'upstream’ Leader
REPLICATION:
and each 'downstream' Standby or Follower. In the absence of any network problems, transfer from the
Leader to the downstream is virtually instantaneous.
The Leader (Master) and all Followers generate audit records that capture all activity. A Follower forwards its
AUDITING:
audit events to the Leader.
All traffic within the cluster is secured by verified TLS (HTTPS, LDAPS, or PostgreSQL with Mutual TLS) - the
Mutual TLS for replication is key as it allows ports to be open across data centers without needing to worry
SECURE
about DDoS attacks. Each Conjur Server (Leader/Standby/Follower) has an SSL certificate which is issued
COMMUNICATION:
by a common certificate authority (CA). On setup, self signed certificates are generated and configured.
These certificates can be swapped for those generated by your organization.
To create a new Standby or Follower, a seed file of information from the Leader is required. An authorized
administrator generates the seed file on the Leader, copies it, and unpacks it on the new server. The seed file
SEED FILES:
contains sensitive information, including configuration settings, and server keys. Be sure to restrict access to
seed files and protect the information.
The server keys (data key, Conjur UI key, and SSL keys) can be encrypted using a master key. When the
server keys are encrypted, no plaintext keys are stored on the server hard disk or included in the seed
SERVER KEY:
files. Conjur supports Hardware Security Module (HSM) and Amazon Key Management Service (AWS KMS)
integrations for key encryption.
Within a Conjur cluster, fail-over to a healthy Standby can occur automatically or manually in the event of the
FAIL-OVER:
failure of the Leader. Both automatic and manually-triggered failover is supported.

11
DOCKER COMMAND REVIEW

12
DOCKER COMMANDS OVERVIEW

docker cp Copy files to/from a container

docker exec Run a command inside a container
docker kill Kill one or more running containers
docker logs View the logs (stdout) of a container
docker ps List running containers
docker restart Restart a running container
docker run Start a container from an image
docker stop Stop a container

i Docker Engine Command Reference:

https://docs.docker.com/engine/reference/commandline/docker/

13
INSTALLATION PROCEDURES:
LEADER (MASTER)

14
INSTALLATION WORKFLOW: LEADER (MASTER)

1. Install/Secure Linux OS & Open Ports/Protocols

PLAN
2. Create System Folders on Linux Host OS
3. Install Platform Software (Docker Engine)
4. Load Conjur Image Into Local Docker Repository INSTALLATION
5. Prepare Docker Security Profile (seccomp)
6. Run Docker to Create the Conjur Container
CONFIGURE
7. Run Evoke to Configure Conjur as Leader (Master)
8. Import Third-Party SSL Certificates (optional)
9. Encrypt Server Keys (optional) IMPLEMENT
10.Verify Configuration / Health

ACTIVATE

15
STEP 1: OPEN PORTS

Prepare Linux Host Operating System

✓ Install Linux OS (virtual or physical)
✓ Securely harden using industry standards
along with Docker security guidance
✓ Ensure all required networking ports and
protocols are available and accessible

16
STEP 2: CREATE SYSTEM FOLDERS

Prepare Linux Host Operating System

✓ If mounting volumes between host OS and
Docker, it is recommended to create dedicated
folders

✓ Simplify process of getting configuration data

into each container running the Conjur nodes
• Configuration
• Seed Files
• Audit & Logging
• Backups
• Security Profiles
Create System Folders:
mkdir –p
/opt/cyberark/conjur/{security,configuration,back
up,seeds,logs}
17
STEP 3: INSTALL DOCKER

Docker Engine Installation (RHEL/CentOS)

• Conjur is packaged as a container image
• Each node should run on a separate machine
# Install Docker Engine
• User running container must have root privileges $ sudo yum install docker
Install Docker Engine:
# Enable Docker Engine on Boot
sudo yum install docker
$ sudo systemctl enable docker
Enable Docker Daemon on Boot:
sudo systemctl enable docker
# Start Docker Engine
$ sudo systemctl start docker
Start Docker Services:
sudo systemctl start docker # Verify Docker Engine Functionality
$ sudo docker run hello-world
Verify Docker is Functioning: Status: Downloaded newer image for hello-world:latest
sudo docker run hello-world
Hello from Docker!
i NOTE: If you want to avoid using sudo command
to run docker, add the desired user accounts to
the docker group. Run the following command:
sudo usermod -aG docker <username>

18
STEP 4: LOAD CONJUR IMAGE

Load Conjur Image

• Conjur image is loaded into the local Docker Engine
Repository for ease of access and starting the
Conjur container

Load Image:
docker load -i conjur-appliance_<version>.tar

View / Verify Image Loaded:

docker images

19
STEP 5: DOCKER SECURITY PROFILE

Docker Security Profile

Secure computing mode (seccomp) is a Linux kernel
feature. You can use it to restrict the actions available Docker Security Profile Details:
https://docs.docker.com/engine/security/seccomp/
within the container. You can use this feature to restrict
your application’s access.
• Load security profile at container run-time using the Docker Security Profile Example:
following optional parameter when using the docker https://docs.cyberark.com/Product-
run command Doc/OnlineHelp/AAM-
--security-opt seccomp=/path/seccomp/profile.json
DAP/Latest/en/Content/Deployment/platforms/docker-
sec-profile.htm#Sample
• For TEST / DEV environments using
seccomp=unconfined parameter setting is
acceptable
--security-opt seccomp=unconfined

20
STEP 6: CREATE CONJUR CONTAINER (LEADER/STANDBY)

Create Leader/Standby Container

• Each Conjur node requires a separate container
created and running
• Leader & Standby nodes are identical. Followers are
slightly different
• Syntax varies based on version
Create Conjur Leader/Standby Container:
docker run --name <container-name> -d --
restart=unless-stopped --security-opt
seccomp:<profile> -p "443:443" -p "444:444“
–p "5432:5432" -p "1999:1999“ --log-driver
journald –v <add_volumes>
registry.tld/conjur-appliance:<version>
Verify Docker Container Created:
docker ps

i For more information refer to:

https://docs.cyberark.com

21
STEP 7: CONFIGURE CONJUR USING EVOKE

Configure Conjur Leader (Master)

• Must accept end user license agreement (EULA)
• Use --master-altnames to configure each node
(Leader/Standby) listed in comma-separated format
• Password must be 12-128 characters and include 2
upper/lower letters, 1 digit, and 1 special character
Initialize Conjur Variables:
containerName=<container-name>
clusterName=<cluster-load-balancer-dns>
conjur1=<leader-dns>
conjur2=<standby1-dns>
conjur3=<standby2-dns>
password=$(openssl rand -hex 8)
account=<account-name>
Run Evoke to Configure Conjur:
docker exec $containerName evoke configure master
--accept-eula --hostname $clusterName --master-
altnames $conjur1 $conjur2 $conjur3 --admin-
password $password $account

22
STEP 8: IMPORT CERTIFICATE (OPTIONAL)

Import SSL Digital Certificates

• Self-signed certificates are generated by default
• Recommend importing third-party certificates
• Conjur services on Leader stopped/restarted during import
Create Archive File for Certificates:
tar -cf conjurCerts.tar cacert.cer follower.cer
follower.key leader.cer leader.key

Copy/Extract Certificate Files to Leader (Master):

docker cp conjurCerts.tar <leader-container>:/tmp
docker exec <leader-container> tar –xf
/tmp/conjurCerts.tar
Import Root/CA Cert
Import Certificates Using Evoke:
docker exec <leader-container> evoke ca import --
force --root cacert.cer Import Server Cert (Leader)
docker exec <leader-container> evoke ca import --
key leader.key --set leader.cer
docker exec <leader-container> evoke ca import -- Import Follower Cert
key follower.key follower.cer

23
STEP 9: ENCRYPT SERVER KEYS (OPTIONAL)

Encrypt Server Keys (Leader)

• Strongly recommended to encrypt server keys (data
key, Conjur UI key, and SSL keys) with a leader key
Choose Encryption Method:
Native Key, HSM, or AWS KMS

Generate Encryption Key: (on Leader host machine)

openssl rand 32 > <file-path>/master.key

Copy Encryption Key: (from Leader host machine)

docker cp <file-path>/master.key <leader-
container>:/etc/conjur-secrets/master.key

Encrypt Server Key:

docker exec <leader-container> evoke keys encrypt
/etc/conjur-secrets/master.key

Unlock Server Key for Conjur Access:

docker exec <leader-container> evoke keys unlock
/etc/conjur-secrets/master.key

24
STEP 10: VERIFY HEALTH

Verify Conjur Health

• Conjur provides RESTful API to verify system health

Verify Health (cluster) – Browse to URL:

https://<cluster-load-balancer-dns>/health

Verify Health (individual node) – Browse to URL:

https://<conjur-node-dns>/health

25
INSTALLATION PROCEDURES:
STANDBY

26
INSTALLATION WORKFLOW: STANDBY

1. Install/Secure Linux OS & Open Ports/Protocols

PLAN
2. Create System Folders on Linux Host OS
3. Install Platform Software (Docker Engine)
4. Load Conjur Image Into Local Docker Repository INSTALLATION
5. Prepare Docker Security Profile (seccomp)
6. Run Docker to Create the Conjur Container
CONFIGURE
7. Run Evoke to Create Seed File for Standby
8. Run Evoke to Configure Conjur as Standby
9. Enable & Start Cluster Replication IMPLEMENT

ACTIVATE

27
STEPS 1 TO 6: REPEAT SAME AS LEADER (MASTER)

28
STEP 7: CREATE/UNPACK SEED FILE (STANDBY)

Create Seed File (Standby)

Seeding a cluster node (Standby/Follower) involves
copying a seed file from the Leader to the cluster node,
and then unpacking the seed file
• Streaming via SSH
ssh -i "<path-leader.pem>" <user@leader-dns> "sudo
docker exec <leader-container> evoke seed standby
<standby-dns> <leader-dns>" | ssh -i "<path-
standby.pem>" <user@standby-dns> "sudo docker exec
-i <standby-container> evoke unpack seed -"
• Manual Method
1. (leader) docker exec <leader> evoke seed
standby <standby-dns> > /tmp/standby.tar
2. (leader) docker cp <leader>:/tmp/standby.tar ./
3. (standby) docker cp ./standby.tar
<standby>:/tmp
4. (standby) docker exec <standby> evoke unpack
/tmp/standby.tar

29
STEP 8: EVOKE CONFIGURE STANDBY

Configure Conjur Standby Servers

• Command syntax varies depending on if server keys With Server Key Encryption
are encrypted or not

Configure Standby with Encryption:

docker exec <standby-container> evoke keys
exec -m <path-master-key> --evoke configure Without Server Key Encryption
standby
Configure Standby with Encryption:
docker exec <standby-container> evoke
configure standby

30
STEP 9: EVOKE REPLICATION

Enable & Start Conjur Cluster Replication # Global Variables

$ standbyContainer=<standby-container>
• Synchronous replication ensures all database writes $ leaderContainer=<leader-container>
are written to the Leader and at least on Standby
# Evoke Replication: Standby Server (synchronous)
• Protects against data loss in event Leader fails $ docker exec $standbyContainer evoke replication sync
enable

Enable Cluster Replication (Synchronous Standby): # Evoke Replication: Standby Server (asynchronous)
$ docker exec $standbyContainer evoke replication sync
docker exec <standby-container> evoke disable
replication sync enable
# Evoke Replication: Leader Server (with 2 or more
Enable Cluster Replication (Asynchronous Standby): synchronous standbys)
docker exec <standby-container> evoke $ docker exec $LeaderContainer evoke replication sync
replication sync disable start

Start Cluster Replication (Leader): # Evoke Replication: Leader Server (with only 1
docker exec <leader-container> evoke synchronous standby)
replication sync start $ docker exec $leaderContainer evoke replication sync start
--force

31
INSTALLATION PROCEDURES:
FOLLOWER

32
INSTALLATION WORKFLOW: FOLLOWER

1. Install/Secure Linux OS & Open Ports/Protocols

PLAN
2. Create System Folders on Linux Host OS
3. Install Platform Software (Docker Engine)
4. Load Conjur Image Into Local Docker Repository INSTALLATION
5. Prepare Docker Security Profile (seccomp)
6. Run Docker to Create the Conjur Container
CONFIGURE
7. Run Evoke to Create Seed File for Follower
8. Run Evoke to Configure Conjur as Follower

IMPLEMENT

ACTIVATE

33
STEPS 1 TO 5: REPEAT SAME AS LEADER (MASTER)

34
STEP 6: CREATE CONJUR CONTAINER (FOLLOWER)

Create Follower Container

• Each Conjur node requires a separate container
created and running
• Leader & Standby nodes are identical. Followers are
slightly different
• Syntax varies based on version
Create Conjur Follower Container
docker run --name <container-name> -d --
restart=unless-stopped --security-opt
seccomp:<profile> -p "443:443" -p "444:444“
--log-driver journald –v <add_volumes>
registry.tld/conjur-appliance:<version>
Verify Docker Container Created
docker ps

i For more information refer to:

https://docs.cyberark.com

35
STEP 7: CREATE/UNPACK SEED FILE (FOLLOWER)

Create Seed File (Follower)

Seeding a cluster node (Standby/Follower) involves
copying a seed file from the Leader to the cluster node,
and then unpacking the seed file
• Streaming via SSH
ssh -i "<path-leader.pem>" <user@leader-dns> "sudo
docker exec <leader-container> evoke seed follower
<follower-dns> <leader-dns>" | ssh -i "<path-
follower.pem>" <user@follower-dns> "sudo docker
exec -i <follower-container> evoke unpack seed -"
• Manual Method
1. (leader) docker exec <leader> evoke seed
follower <follower-dns> <leader-dns> >
/tmp/follower.tar
2. (leader) docker cp <leader>:/tmp/follower.tar
./
3. (follower) docker cp ./follower.tar
<follower>:/tmp
4. (follower) docker exec <follower> evoke unpack
/tmp/follower.tar
36
STEP 8: EVOKE CONFIGURE FOLLOWER

Configure Conjur Follower Servers

• No command syntax difference when using server
key encryption
With or Without Server Key Encryption
Configure Follower:
docker exec <follower-container> evoke
configure follower

37
 CONJUR
SERVER STATUS

38
** CHANGE SCREENSHOT *** CONJUR SERVER STATUS: CONJUR
UI
Verify Server Status from UI
• Authenticate to Conjur UI using an
admin credential, then select the
settings icon in top right corner of
the UI
• Select Conjur Cluster from the menu

39
*** CHANGE SCREENSHOT*** CONJUR SERVER STATUS: CONJUR
CLI
Verify Server Status from Conjur
CLI
• Verify Conjur Server Health from
Docker Container
docker exec <conjur_container>
curl -s -k
https://localhost/health
• Verify Conjur Server Health from
Network
curl -s -k --cacert <cert.pem>
https://<conjur>/health

40
SUMMARY

41
SUMMARY

In this session we discussed:

• Conjur System Requirements
• Install Conjur High-Availability Secrets Manager solution
• Conjur Health Check

42
42
THANK YOU

43