SECRET-SEN CyberArk Sentry Secrets Manager Questions and Answers

The error message indicates that the authenticator webservice is not enabled on the Conjur server. To enable the authenticator, you need to modify the conjur.conf file in the /opt/conjur/etc directory and add the authenticator webservice ID to the CONJUR_AUTHENTICATORS environment variable. For example, if the authenticator webservice ID is authn-k8s/prd-cluster-01, you need to add it to the existing value of CONJUR_AUTHENTICATORS, separated by a comma. Then, you need to restart the Conjur service for the changes to take effect. This will enable the authenticator on the Conjur server and allow the Kubernetes application to authenticate to the Follower load balancer.  References:   Enable the Authenticator Webservice ,  Configure the Authenticator Webservice

Followers are read-only replicas of the Leader that perform asynchronous replication from the Leader. This means that they receive updates from the Leader periodically, but not in real time. Followers are designed to handle all types of read requests from workloads and applications, such as authentication, permission checks, and secret fetches. Followers can scale horizontally to support a large number of concurrent requests and reduce the load on the Leader. Followers also provide high availability and disaster recovery by serving as backup nodes in case of Leader failure or network partition.  References:   Set up Follower ,  Deploy the Conjur Follower ,  Follower architecture

According to the CyberArk Sentry Secrets Manager documentation, JWT-based authentication is the recommended method for authenticating Kubernetes pods with Conjur. JWT-based authentication uses JSON Web Tokens (JWTs) that are issued by the Kubernetes API server and signed by its private key. The JWTs contain the pod’s namespace and service account as identity characteristics, which are verified by Conjur against a policy that defines the allowed namespaces and service accounts. JWT-based authentication is fast, scalable, and secure, as it does not require any additional certificates, secrets, or sidecars to be deployed on the pods. JWT-based authentication also supports rotation and revocation of the Kubernetes API server’s private key, which enhances the security and resilience of the authentication process.

Certificate-based authentication is another method for authenticating Kubernetes pods with Conjur, but it is not the best option for performance. Certificate-based authentication uses X.509 certificates that are generated by a Conjur CA service and injected into the pods as Kubernetes secrets. The certificates contain the pod’s namespace and service account as identity characteristics, which are verified by Conjur against a policy that defines the allowed namespaces and service accounts. Certificate-based authentication is secure and reliable, but it requires more resources and steps to generate, inject, and manage the certificates and secrets. Certificate-based authentication also does not support rotation and revocation of the certificates, which may pose a security risk if the certificates are compromised or expired.

API key authentication and Connect (OIDC) authentication are not valid methods for authenticating Kubernetes pods with Conjur. API key authentication is used for authenticating hosts, users, and applications that have a Conjur identity and an API key. Connect (OIDC) authentication is used for authenticating users and applications that have an OpenID Connect identity and a token. These methods are not suitable for Kubernetes pods, as they do not use the pod’s namespace and service account as identity characteristics, and they require additional secrets or tokens to be stored and managed on the pods.  References : =  JWT Authenticator | CyberArk Docs ;  Certificate Authenticator | CyberArk Docs ;  API Key Authenticator | CyberArk Docs ;  Connect Authenticator | CyberArk Docs

 The most maintenance-free way to ensure a Conjur host’s access reflects any changes made to accounts in a safe in the CyberArk vault is to grant the consumers group/role created by the Synchronizer for the Safe to the host. This means that the host will inherit the read and execute permissions on all the secrets in the Safe from the consumers group/role, and will automatically get access to any new or updated secrets in the Safe without requiring any manual intervention or policy changes. The consumers group/role is created by the Vault Conjur Synchronizer, which is a service that synchronizes secrets between the CyberArk vault and Conjur. The Synchronizer creates a policy branch for each Safe in Conjur, and assigns the consumers group/role to have read and execute permissions on all the secrets in the Safe.  The Synchronizer also creates a delegation policy for each Safe, which allows the Safe admins to grant permissions to other users, hosts, groups, or layers 1 2 .

The other options are not the most maintenance-free ways to ensure a Conjur host’s access reflects any changes made to accounts in a safe in the CyberArk vault. Writing an automation script to update and load the host’s policy using PATCH/update may work, but it requires additional effort and maintenance to ensure the script is always running and up to date with the changes in the Safe. Using yami anchor [ & ] and wildcard (*) syntax to maintain its list of permission grants may simplify the policy writing, but it still requires manual editing and loading of the policy whenever a new secret is added or removed from the Safe.  Using PVWA to add the Conjur host ID as a member of the Safe may not be possible or advisable, as the PVWA is designed for managing human users and not Conjur hosts, and it may not have the necessary integration or authorization to do so 3 .  References : =

Vault Conjur Synchronizer  1 , Synchronizer Policy Structure

Grant permissions on secrets  2 , Grant role permissions on all secrets in a Safe

Privileged Access Manager - Self-Hosted  3 , Privileged Web Access (PVWA)

Based on the image you sent, the correct network port to its function in Conjur are:

22: required for SSH access

443: TLS endpoint for Conjur UI and API

444: HTTP health endpoint: simplifies load balancer setup

1999: audit events are streamed from the Follower to the Leader (using syslog-ng)

5432: required for data replication from the Leader to Standbys and Followers (PostgreSQL)

These are the standard ports and protocols used by the Conjur components to communicate with each other and with external clients. The ports can be customized according to the network and security requirements of the organization.  These ports are documented in the CyberArk Secrets Manager documentation 1  and the CyberArk Secrets Manager training course 2 .

= According to the CyberArk Sentry Secrets Manager documentation, the replace method is used to overwrite an existing policy branch with a new policy file. This method is suitable for making changes to the existing resources, such as modifying their annotations, permissions, or attributes. The replace method preserves the existing data and secrets associated with the resources, but removes any resources that are not defined in the new policy file. Therefore, to change the annotations for authentication of a Conjur host, the replace method is the best option.

The append method is used to add new resources or data to an existing policy branch, without affecting the existing resources. This method is suitable for creating new hosts, groups, variables, or secrets, but not for modifying the existing ones. The append method will ignore any changes to the existing resources, such as annotations, and will only load the new resources or data.

The delete method is used to remove resources or data from an existing policy branch, without affecting the other resources. This method is suitable for deleting hosts, groups, variables, or secrets, but not for modifying them. The delete method will remove any resources or data that are defined in the policy file, and will ignore any resources or data that are not defined in the policy file.

The update method is used to modify the data or secrets associated with existing resources, without affecting the resources themselves. This method is suitable for changing the values of variables or secrets, but not for changing the annotations, permissions, or attributes of the resources. The update method will only load the data or secrets that are defined in the policy file, and will ignore any resources or data that are not defined in the policy file.  References : =  Annotation reference | CyberArk Docs ;  Policy load modes | CyberArk Docs ;  Policy - docs.cyberark.com

= Summon is a command-line tool that provides on-demand secrets access for common DevOps tools. It reads a file in secrets.yml format and injects secrets as environment variables into any process. The secrets.yml file is where you define which secrets to retrieve from a trusted store, such as CyberArk Secrets Manager. The secrets.yml file specifies the name and location of each secret, as well as the environment variable to assign it to. For example, a secrets.yml file could look like this:

DB_USERNAME: !var dev/my-app/db-username DB_PASSWORD: !var dev/my-app/db-password

This means that Summon will fetch the values of dev/my-app/db-username and dev/my-app/db-password from the trusted store, and assign them to the environment variables DB_USERNAME and DB_PASSWORD, respectively. Then, Summon will run the specified process with these environment variables set, and remove them once the process exits. This way, Summon enables secure and convenient access to secrets without exposing them in plain text or storing them in files.

References  =  Summon by cyberark - GitHub Pages ;  Using Summon to Manage Secrets as You Move From Dev to Prod

This is the correct answer because the Conjur Token is a JSON Web Token (JWT) that is signed by the Conjur master and contains the identity and permissions of the application. The Conjur Token is stateless, meaning that it does not depend on any stored session or transaction information on the server side. Therefore, any Conjur follower can validate the Token by verifying the signature and the expiration time, and satisfy the request by retrieving the credential from the local database. This allows the Conjur followers to be horizontally scalable and load balanced, and to provide high availability and performance for the applications.  This answer is based on the Conjur documentation 1  and the Conjur training course 2 .

= The cause of the issue is that the token is not correctly encoded. A token is a string of characters that represents a credential or an authorization grant for accessing a resource. A token must be encoded according to a specific format and standard, such as Base64, JSON Web Token (JWT), or OAuth 2.0. If the token is malformed, meaning that it does not follow the expected format or standard, the server will reject the token and return an error 401 - Malformed Authorization Token. This error indicates that the token is invalid or expired, and the request is unauthorized.  To resolve the issue, the token must be regenerated or refreshed using the correct encoding method and parameters 1 2 .  References : =

CyberArk Identity: Getting 401 unauthorized Error when using API calls with OAuth2 Client  2 , Resolution 1

Troubleshoot CyberArk Vault Synchronizer  1 , Error: Forbidden Logon Token is Empty - Cannot logon Unauthorized

The most likely cause for this issue is A. The application ID or Application Provider does not have the correct permissions on the safe. The CyberArk Central Credential Provider (CCP) is a web service that enables applications to retrieve secrets from the CyberArk Vault using REST API calls. The CCP requires an application ID or an Application Provider to authenticate and authorize the application before returning the requested secret. The application ID or Application Provider must have the Retrieve and List permissions on the safe where the secret is stored, otherwise the CCP will not be able to find the matching secret and will return an error.

To resolve this issue, you should verify that the application ID or Application Provider has the correct permissions on the safe, and that the safe name and object name are correctly specified in the REST API call. You can use the CyberArk Privileged Access Security Web Access (PVWA) or the PrivateArk Client to check and modify the permissions on the safe. You can also use the CyberArk REST API Tester or a tool like Postman to test the REST API call and see the response from the CCP. For more information, refer to the following resources:

Credential Providers - Centralized Credential Management | CyberArk , Section “Central Credential Provider”

Credential Provider - CyberArk , Section “Using the Credential Provider”

How to Build Your Secrets Management REST API’s into Postman , Section “How to Build Your Secrets Management REST API’s into Postman”

Conjur Followers are read-only replicas of the Leader that can serve client requests for authentication, authorization, and secret retrieval. However, Followers cannot perform write operations, such as creating or updating secrets, policies, or roles. If the Leader becomes unavailable, the Followers will not be able to sync with the latest data and will eventually become stale. To ensure high availability and data consistency, the customer should extend the auto-failover cluster to include Standbys in each data center. Standbys are also replicas of the Leader, but they can participate in replication and promotion. One Standby is configured for synchronous replication, which means it receives the same updates as the Leader at the same time. The other Standbys are configured for asynchronous replication, which means they receive updates from the Leader periodically, but not in real time. In case of Leader failure, the synchronous Standby can be automatically promoted to become the new Leader, and one of the asynchronous Standbys can become the new synchronous Standby. This way, the customer can ensure that there is always an up-to-date Leader that can serve write requests and sync with the Followers in different data centers.  References:   Set up Follower ,  Set up auto-failover cluster ,  Conjur architecture and deployment reference

ServiceAccount and StatefulSet are two of the Kubernetes resources/objects that can be used as Conjur identities, in addition to Namespace and Deployment. Conjur identities are the entities that can authenticate with Conjur and retrieve secrets from it. Conjur supports authenticating Kubernetes resources/objects using the Conjur Kubernetes Authenticator, which is a sidecar or init container that runs alongside the application container and injects the Conjur access token into a shared volume. The application container can then use the access token to fetch secrets from Conjur.

A ServiceAccount is a Kubernetes resource that represents an identity for processes that run in a pod. ServiceAccounts can be used to grant specific privileges and permissions to the pod, and to enable communication with the Kubernetes API server. A ServiceAccount can be used as a Conjur identity by annotating it with the Conjur authentication policy branch ID, and by creating a Conjur host entity that matches the ServiceAccount name and namespace. The Conjur Kubernetes Authenticator will then use the ServiceAccount token to authenticate the pod with Conjur and obtain the Conjur access token.

A StatefulSet is a Kubernetes resource that manages the deployment and scaling of a set of pods, and provides guarantees about the ordering and uniqueness of these pods. StatefulSets are useful for applications that require stable and persistent identities, such as databases, message brokers, or distributed systems. A StatefulSet can be used as a Conjur identity by annotating it with the Conjur authentication policy branch ID, and by creating a Conjur host entity that matches the StatefulSet name and namespace. The Conjur Kubernetes Authenticator will then use the pod name and namespace to authenticate the pod with Conjur and obtain the Conjur access token.

The other options are not valid Kubernetes resources/objects that can be used as Conjur identities. Replica sets are a lower-level resource that are usually managed by higher-level resources such as Deployments or StatefulSets, and do not have their own identity or annotations. Secrets are a Kubernetes resource that store sensitive information such as passwords, tokens, or keys, and are not meant to be used as identities. Tokenreviews are a Kubernetes resource that are used to verify the validity of a ServiceAccount token, and are not meant to be used as identities either.  References :

Securing Secrets in Kubernetes - CyberArk Developer , Section “Conjur Kubernetes Authentication: A Hands-On Demonstration”

GitHub - cyberark/secrets-provider-for-k8s: Cyberark secrets provider … , Section “Consuming Secrets from CyberArk Secrets Provider”

Secure your Kubernetes-deployed applications with CyberArk Conjur , Section “How it works”

Simplify and Improve Container Security Using New CyberArk Conjur … , Section “CyberArk Conjur Enterprise”

Keeping Secrets Secure on Kubernetes - CyberArk Developer , Section “The Solution”

Summon is a utility that allows applications to access secrets from a variety of trusted stores and export them as environment variables to a sub-process environment. Summon does not require any changes to the application code to retrieve secrets from the CyberArk Central Credential Provider (CCP), as it uses a provider plugin that handles the communication with the CCP. However, the application code must be able to access secrets from a configuration file or environment variable, as these are the methods that Summon uses to inject secrets into the application. Summon reads a secrets.yml file that defines the secrets that the application needs and maps them to environment variables. Then, Summon fetches the secrets from the CCP using the provider plugin and exports them as environment variables to the application sub-process. The application can then read the secrets from the environment variables as if they were hard-coded in the configuration file.  References:   Summon-inject secrets ,  .NET Application Password SDK

 Secrets Provider and Secretless are two solutions that can minimize the Kubernetes application code changes required to adopt Conjur for secrets access. Secrets Provider is a Kubernetes Job or Deployment that runs as an init container or application container alongside the application pod. It retrieves secrets from Conjur and writes them to one or more files in a shared, mounted volume. The application can then consume the secrets from the files without any code changes, as reading local files is a common and platform-agnostic method. Secretless is a sidecar proxy that runs as a separate container in the same pod as the application. It intercepts the application’s requests to protected resources, such as databases or web services, and injects the secrets from Conjur into the requests. The application does not need to handle any secrets in its code, as Secretless handles the authentication and authorization for it.  References:   CyberArk Secrets Provider for Kubernetes ,  Secretless Broker

The correct order for prioritization of the findings is as follows:

A new vulnerability scanner project is nearing completion and is expected to go into production soon. This scanner is owned by the Security Team that owns CyberArk. This finding should be prioritized first because it has the highest urgency, feasibility, and alignment with the Security Team’s goals. The vulnerability scanner is a critical security tool that needs to protect its credentials from unauthorized access. The Security Team can leverage their own expertise and authority to implement the Secrets Manager solution for this project without much delay or dependency.

A large, high performance application under PCI DSS regulation will require many CPs. This will require a license purchase. The procurement process can take 6-12 months. The development team is eager to work with Security on this project. This finding should be prioritized second because it has a high impact, compliance requirement, and stakeholder support. The application handles sensitive payment card data that needs to be secured by the Secrets Manager solution. The development team is willing to collaborate with the Security Team on this project and can help with the technical aspects of the implementation. However, this finding also has a high cost and a long lead time due to the license purchase and the procurement process.

A small, internally developed application under HIPPA regulation needs updates to the application code to retrieve secrets from a Secrets Manager solution. The development team stated they cannot accommodate this work before next quarter. This finding should be prioritized third because it has a moderate impact, compliance requirement, and feasibility. The application handles protected health information that needs to be secured by the Secrets Manager solution. The development team is aware of the need to update the application code to integrate with the Secrets Manager solution, but they have other priorities and constraints that prevent them from doing so in the near term.

Here ' s the reasoning behind this order:

1. New vulnerability scanner project:

This project directly impacts CyberArk ' s Security Team, making it a high priority due to potential internal security concerns. Additionally, its near-completion state suggests a quicker implementation timeframe.

2. Large application under PCI DSS:

While this application requires significant resources and time investment due to license purchase and development, its high performance and PCI DSS regulation compliance mandate prioritization. Delaying this project could potentially lead to security vulnerabilities and compliance issues.

3. Small application under HIPAA:

Although HIPAA regulation necessitates compliance, the application ' s size and development team ' s delay request suggest a lower priority compared to the previous two projects. However, it should still be addressed within the next quarter as mandated by the development team.