Vault

Vault-Conjur Integration
Version 10.2
2
Important Notice
Conditions and Restrictions
This guide is delivered subject to the following conditions and restrictions:
This guide contains proprietary information and ideas belonging to CyberArk Software Ltd. which
are supplied solely for the purpose of assisting explicitly and properly authorized users of the
CyberArk software.
No part of its contents may be used for any other purpose, disclosed to any person or firm or
reproduced by any means, electronic and mechanical, without the express prior written
permission of CyberArk Software Ltd.
The software described in this document is furnished under a license. The software may be used
or copied only in accordance with the terms of that agreement.
Information in this document, including the text and graphics which are made available for the
purpose of illustration and reference only, is subject to change without notice. Corporate and
individual names and data used in examples herein are fictitious unless otherwise noted.
Third party components used in the CyberArk software may be subject to applicable terms and
conditions.
Acknowledgements
This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
This product includes software written by Ian F. Darwin.
This product includes software developed by the ICU Project (http://site.icu-project.org/)
Copyright © 1995-2009 International Business Machines Corporation and other. All rights
reserved.
Copyright
© 2000-2018 CyberArk Software Ltd. All rights reserved.
CyberArk®, the CyberArk logo, and all other names and logos that appear in this Guide are
trademarks of CyberArk Software Ltd. and their respective owners.
Information in this document is subject to change without notice.
CS-010-2-1-1
CyberArk Viewfinity
Table of Contents 3
Table of Contents
Introduction 5
Solution benefits 6
How does it work? 6
Synchronizer Flow 7
System requirements 9
Hardware requirements 10
Licensing 10
Audits 10
Synchronizer Installation 11
Configure Vault components 11
Configure Vault component manually 11
Configure Vault components using Postman 12
Installation 14
Standard installation 15
Silent installation 15
Post installation 16
Security 18
Configuration files 19
VaultConjurSynchronizer.exe.config 19
Vault.ini 20
Run Synchronizer 24
Line of Business (LOB) 25
Overview 25
Add an LOB 25
Add an LOB manually 25
Add an LOB using Postman 26
Delete an LOB 26
Supported LOBs 27
Conjur Policies 28
Accounts and Safes 29
Manage Single Accounts 29
Provisioning methods 29
Add an account in the PVWA 29
Manage Dual Accounts 31
Configure Dual Accounts 32
One-time Passwords and Exclusive Accounts 38
Interactive usage of one-time passwords and exclusive accounts 38
Application usage of one-time passwords and exclusive accounts 38
Manage Accounts and Safes During Synchronization 39
Limitations 41
Logs 42
CyberArk Viewfinity
4 Table of Contents
Troubleshooting 43
CyberArk Viewfinity
5
Introduction
CyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur expands
the CyberArk Privileged Account security to the DevOps space and to modern and
dynamic environments. Secrets that are stored and managed in the CyberArk Vault can
now be shared with Conjur and used via its clients, APIs and SDKs to enhance security
and reduce risks for the DevOps environments, including CI/CD pipeline, containerized
applications, and cloud platforms.
The integration between the Enterprise Password Vault ® (EPV) and Conjur provides
Security, IT, and DevOps teams with a common platform to enforce privileged account
security policies on all platforms - On Premise/Cloud/DevOps - to form a consistent,
unified enterprise-wide PAS Program.
CyberArk Viewfinity
Vault-Conjur Integration 6
Solution benefits
CyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur provides
the following benefits:
Enables CyberArk customers who store and manage their secrets in the Enterprise
Password Vault ® (EPV) to benefit from Conjur's capabilities to provide secrets in
dynamic and ephemeral environments and containers.
Enable central policy enforcement for DevOps use cases, such as rotation,
monitoring, and auditing.
How does it work?
CyberArk Viewfinity
7 Synchronizer Flow
1. Vault Admin creates LOB users and grants them ownership to specific safes. These
LOBs facilitate the syncing of accounts to Conjur.
2. The Synchronizer retrieves the accounts for these LOBs.
3. The Synchronizer generates a Conjur policy (YAML file) for these LOBs that contains
the secrets defined as variables, and loads them to Conjur.
4. The Synchronizer syncs the accounts to Conjur as Conjur variables.
5. The Conjur LOB Admin creates and loads a Conjur policy that delegates users and
hosts permissions to the variables.
During each sync interval, the Synchronizer repeats step 2 and, if needed, steps 3
and 4.
Synchronizer Flow
The Synchronizer syncs secrets from accounts in the root folder of safes that are owned
by the LOB user.
The Synchronizer supports most account types. To learn more about single and dual
accounts, see Accounts.
Note:
Accounts used on Service Account platforms are not synced.
In each sync interval the following steps are taken:

1. The Synchronizer user retrieves all LOB User accounts from the ConjurSync safe.
If there is a new LOB, generate the policy file and load it to Conjur.
Save the policy to a folder named ConjurPolicies.
Each Vault account is represented in Conjur by the following variables:
Variable Required
password Yes
username No
For example:
Account Variable representation
Single account
- !variable
(Vault_
Name/Safe1/Root/Account1) id: Safe1/Account1/username
owner: !group lob_name-admins
annotations:
CyberArk Viewfinity
cyberark-vault: true
cyberark-vault/accounts: Vault_
Name/Safe1/Account1
- !variable
id: Safe1/Account1/password
annotations:
Name/Safe1/Account1
Dual account - !variable

(Vault_ id: Safe1/virtual_user_
Name/Safe1/Root/Account1, name/username
Vault_
Name/Safe1/Root/Account2) owner: !group lob_name-admins
annotations:
Name/Safe1/Account1, Vault_
Name/Safe1/Account2
cyberark-vault/dual-account: true
- !variable
id: Safe1/virtual_user_
name/password
annotations:
Name/Safe1/Account1, Vault_
Name/Safe1/Account2
CyberArk Viewfinity
9 System requirements
cyberark-vault/dual-account: true
Non-CPM managed account Same as single account
Note:
In a Dual account, the virtual_user_name of the Dual Account group must be unique
per safe. For example, if a user has two Unix environments with Dual Account
configured, then the two environments cannot have the same virtual_user_name.
Note:
If multiple LOBs own the same safe, a set of variables representing the username a
password are created for each LOB in Conjur.
2. If there is a new LOB, generate the policy file and load it to Conjur.
The Synchronizer runs in intervals as defined in the
VaultConjurSynchronizer.exe.config file in the SYNC_INTERVAL_TIME parameter.
This process syncs the LOB owned safes with Conjur. The default value for SYNC_
INTERVAL_TIME is 5 minutes.
If the syncing process takes longer than the SYNC_INTERVAL_TIME, the next sync
interval is skipped.
3. If an account is added to a synced safe, or if a new safe was added or assigned to the
LOB User, then the new accounts will be synced to Conjur in the next sync interval.
The Synchronizer will first refresh changes in currently synced secrets and then will
add the new accounts to Conjur, so ongoing changes will be updated as soon as
possible.
System requirements
Component Requirement
PAS Version 9.5 or above

For details, see the Privileged
Account Security Installation Guide
Conjur Version 4.9.8. For installation

details, see
https://developer.conjur.net/server_
setup/platforms/docker.html.
Synchronizer Windows Server 2012 R2

.Net Framework 4.5.2
Powershell 4
RemoteSigned Windows
PowerShell Script Execution
CyberArk Viewfinity
Component Requirement
Policy
Conjur CLI version 4.29.0 and
higher
Hardware requirements
Component CPU # of cores RAM (GB)
Conjur server 4 Conjur Container: 8

Conjur host machine: 16 or greater
Synchronizer 2 8
Licensing
The Synchronizer and the LOB users are APPProvider users and require appropriate
licenses.
Audits
Audits records are stored in the Enterprise Password Vault ® (EPV) and in Conjur. The
Synchronizer does not maintain audit records.
CyberArk Viewfinity
11 Configure Vault components
Synchronizer Installation
This topic describes how to install the Synchronizer on a Windows platform. The
installation process creates a log file in the following locations:
<Synchronizer directory>/Logs/Installation.log
<Installation directory>/Installation.log
Note:
You must install Synchronizer on a clean machine.
Configure Vault components

You can configure Vault components either manually or by using a Postman collection,
an executable description of an API.
Configure Vault component manually

Unzip VaultConjurSynchronizer.zip to a directory of your choice. In future steps, we
refer to this as <installation directory>.
PrivateArk client
1. Go to File > Server File Categories... > New to add File Categories for the
Conjur Host platform.
Add the following file categories for the Conjur Host platform:
File Category Name Type Required Category
HostName TEXT No
ApplianceURL TEXT No
2. Go to Tools > Administrative Tools > Users and Groups > New > User to
create the user for the Synchronizer. Provide a password for this user.
Tab Column Value
General User name Sync_<Synchronizer

machine hostname>
User type APPProvider
Authentication User Must Change Uncheck

Password at Next Logon
Password never expires Check
CyberArk Viewfinity
PVWA
1. Log in to the PVWA as a Vault administrator.
2. To import the Conjur Host platform, go to ADMINISTRATION > Platform
Management > Import Platform. Open the Policy-ConjurHost.zip from the
<installation directory>/Installation folder.
3. To make the CyberArk Vault platform active, go to ADMINISTRATION > Platform
Management, select CyberArk Vault and then select Active.
4. Create a Safe named ConjurSync managed by the Central Policy Manager. Assign
ownership of the Safe to the Synchronizer Vault user with the following permissions:
Role Permissions
Access Use accounts

Retrieve accounts
List accounts
Account Management Add accounts

Update account content
Update account properties
Initiate CPM account management operations
Workflow Access Safe without confirmation
Advanced Create folders

Delete folders
Configure Vault components using Postman

From PAS v9.7.2 and above, some configurations can be done using Postman tool. The
postman collection, and the relevant environment, can be found in the <installation
directory>/Installation/Postman folder.
To use the Postman collection, import the collection and the environment files to
Postman. Go to Manage Environments > Vault-Conjur Synchronizer
configuration and edit the following environment fields:
Field Name Description Task Example
VaultIP IP of the Vault machine Config 1.1.1.1

ure
Vault
compo
nents
PVWAUrl URL (including protocol) Config https://pvwa-

of PVWA ure org/Password
Vault Vault
compo
nents
VaultUserName Vault Admin user name Config Administrator

used to configure Vault ure
components Vault
compo
CyberArk Viewfinity
13 Configure Vault components
nents
VaultPassword Vault Admin password Config Password123

used to configure Vault ure
components Vault
compo
nents
ConjurServerDNS DNS name of the Conjur Config conjur-org

server ure
Vault
compo
nents
ConjurApplianceURL The appliance URL of Config https://conjur-

Conjur server ure org/api
Vault
compo
nents
SynchronizerVaultUserna Specify a username Config Sync_

me ure <Synchronizer
Vault machine
compo hostname>
nents
SynchronizerVaultUserInit Initial password for the Config InitPass123

ialPassword Synchronizer Vault ure
user. This password is Vault
rotated automatically compo
after the initial nents
Synchronizer run.
SynchronizerConjurHostn Hostname of the Post host/Sync_

ame Synchronizer Conjur installa <Synchronizer
host created during tion machine
installation hostname>
SynchronizerConjurHostA API Key of the Post ate3gjtr...ajkbr

PIKey Synchronizer Conjur installa b2we2e
host created during tion
installation
Update the
SynchronizerConjurH
ostAPIKey variable
value in the Postman
collection with the
Conjur host account's
password retrieved in
this step.
LOBName Name of the LOB to Line of Lob1

sync with Conjur used Busine
to create the LOB User ss
CyberArk Viewfinity
(LOB)
LOBUserPassword Specify a password Line of Password123

Busine
ss
(LOB)
SafeToSync Name of the safe to Line of AutomationSa

sync with Conjur (for Busine fe
multiple safes, run once ss
for each safe) (LOB)
PrivateArk client
Go to File > Server File Categories... > New to add File Categories for the Conjur
Host platform.
Add the following file categories for the Conjur Host platform:
File Category Name Type Required Category
HostName TEXT No
ApplianceURL TEXT No
PVWA
2. To import the Conjur Host platform, go to ADMINISTRATION > Platform
Management > Import Platform. Open the Policy-ConjurHost.zip from the
<installation directory>/Installation folder.
3. To make the CyberArk Vault platform active, go to ADMINISTRATION > Platform
Management, select CyberArk Vault and then select Active.
Postman
Run the following requests using Postman:
1. PVWA Logon
2. Create Synchronizer Vault user
3. Create ConjurSync Safe
4. Add Synchronizer Vault User as member of Safe ConjurSync
5. PVWA Logoff
Installation
This topic describes how to install the Synchronizer on the Windows platform.
The Synchronizer can be installed in either of the following ways:
CyberArk Viewfinity
15 Installation
Installation
Description
Method
Standard You will be asked to provide information throughout the installation

process.
Silent The installation procedure is initiated either by a user or by a script, and is

performed without any human interaction
Standard installation
1. Unzip VaultConjurSynchronizer.zip to a directory of your choice.
2. Open a Windows PowerShell window, navigate to <directory from the step
above>/Installation and run the following command:
.\SynchronizerInstallation.ps1
3. Follow the installation prompts.
Silent installation
To run a silent installation, you need the following prerequisites:
Credential file for the Conjur Admin user. During installation, the Conjur Admin user
creates the Synchronizer host in Conjur.
Configure the silent.ini file
Do the following to prepare and run the silent installation:
1. Unzip VaultConjurSynchronizer.zip to a directory of your choice. In future steps,
we refer to this as <installation directory>.
2. Open a Windows PowerShell window, navigate to <installation
directory>/Installation/ and run the following commands to create a credentials file
for the Conjur Admin user:
$username = "<Conjur admin username>"

$password = Read-Host "Enter the Conjur admin password" -
AsSecureString
$credentials = New-Object
System.Management.Automation.PSCredential -ArgumentList
$username,$password
$credentials | Export-Clixml ConjurAdminCredFile.xml
3. Go to <installation directory>/Installation to edit the silent.ini file:
Parameter Description Default value
InstallationTargetPa Location to install the C:\Program

th synchronizer. Files\CyberArk\Syn
chronizer
CyberArk Viewfinity
Parameter Description Default value
ConjurServerDNS Conjur server DNS, including port

if needed.
VaultName The logical name for the CyberArk

Vault used to synchronize with
Conjur. For example, the DNS
name
VaultAddress Address of the CyberArk Vault

used to synchronize with Conjur.
VaultPort 1858
SynchronizerVault Username of the Synchronizer

Username Vault user
ConjurCredentialsF Full path of the Conjur Admin

ilePath user's credentials file that was
created in step 2 (<installation
directory>/Installation/ConjurAdmi
nCredFile.xml)
4. Open a Windows PowerShell window, navigate to <installation

directory>/Installation and run the following command:
.\SynchronizerInstallation.ps1 -silent
Post installation
During the installation process, the installer created a credentials file for the Synchronizer
Conjur host. To create an account for this host in the Vault, you need to decode the
credentials stored in this file. This account is the Synchronizer representation in Conjur
and is used to retrieve the Synchronizer identity in Conjur.
Create a cred file for the Synchronizer's Vault user
Note:
Do the following steps after a silent installation.
1. After a silent installation, open a Windows PowerShell window, navigate to

<installation directory>/Installation/CreateCredFile and run the following
CyberArk Viewfinity
17 Post installation
commands:
.\CreateCredFile.exe VaultConjurSynchronizerUser.cred
Password /Username Sync_<Synchronizer machine hostname>
/Password <Synchronizer Vault User password> /ExePath
"C:\Program
Files\CyberArk\Synchronizer\VaultConjurSynchronizer.exe"
/Hostname
2. Move the output file to C:\Program Files\CyberArk\Synchronizer\Vault.
Add an account in the Vault for the Synchronizer's Conjur host

1. Navigate to <installation directory>/Installation and run the following command
to read the credentials of the Synchronizer Conjur host:
$credentials = Import-Clixml -Path

synchronizerConjurHost.xml
$credentials.Username
$credentials.GetNetworkCredential().password
2. Use the values from step 1 to add an account. You can add an account either
manually in the PVWA or through Postman:
Method How to
PWVA Edit the following:

Parameter Value
Store in Safe ConjurSync
Device Type Application
Platform Conjur Host

Name
Host Name The value of

$credentials.Username
Appliance https://<Conjur Server DNS>/api

URL
Password The value of

$credentials.GetNetworkCredential
().password
Name Conjur_<name> where name is the

DNS of Conjur
For example, Conjur_conjur-myorg
CyberArk Viewfinity
Method How to
Parameter Value
Disable Check
automatic
management
for this
account
Postman Run the following requests using Postman:

a. PVWA Logon
b. Create a Conjur host Account
c. PVWA Logoff
Security
By default, the installation restricts permission to the Synchronizer folder to
Administrators group only. If you wish to run the Synchronizer with an OS user that is not
a member of the Administrators group, you will need to give this user read, execute, and
write permissions to the Synchronizer folder.
In addition, only users in the Users group have read-only access to the ConjurPolicies
folder.
Following Synchronizer installation, permanently delete or protect the credentials used
during installation. This includes the files ConjurAdminCredFile.xml,
synchronizerConjurHost.xml and VaultConjurSynchronizerUser.cred.
If Ruby isn't installed prior to the Synchronizer installation, the installation restricts the
permission to the Ruby folder to Administrator's group.
CyberArk Viewfinity
19 VaultConjurSynchronizer.exe.config
Configuration files
This topic describes the configuration files for the Synchronizer. These files define how
the Synchronizer works and are modified automatically during installation. You may edit
them manually after installation according to the tables below.
Note:
If you modify a configuration file, restart the Synchronizer.
VaultConjurSynchronizer.exe.config
The following table lists the parameters found in the main configuration file which are
modified automatically during the installation process. These parameters define how the
Synchronizer works.
You can modify the following:
Parameter Description Default
INTEGRATIO The logical name for the CyberArk

N_VAULT_ Vault used to synchronize with
NAME Conjur.
For example, the DNS name.
CONJUR_ The path to the certification file

CERT_FILE_ provided by the Conjur server.
PATH
SYNC_ Interval time (in seconds) when the 300

INTERVAL_ synchronizer refreshes accounts
TIME from the vault.
Note:
If you change either the SYNC_
INTERVAL_TIME in the
VaultConjurSynchronizer.exe.c
onfig or the TIMEOUT in the
Vault.ini parameters,
make sure TIMEOUT * 2 =
SYNC_INTERVAL_TIME.
CRED_FILE_ The path to the Synchronizer Vault ./Vault/VaultConjurSynchroni

PATH User cred file zerUser.cred
VAULT_FILE_ The path to the Vault.ini file used ./Vault/Vault.ini

PATH primarily to configure the CyberArk
Vault address.
CyberArk Viewfinity
Parameter Description Default
LOGS_ Path to the log files. ./Logs

FOLDER_ If you customize the log file path,
PATH restrict read/write permissions to
the Administrator's group.
POLICIES_ The path to the directory where ./ConjurPolicies

FOLDER_ Conjur policies are written.
PATH If you customize the policies folder
path, restrict read/write
permissions to the Administrator's
group. In addition give read-only
permissions to the Users group.
log4net > root The log root level. Logs are written INFO
> level from the selected level and above.
Valid values:
ALL
DEBUG
INFO
WARN
ERROR
FATAL
OFF
log4net > root The maximum size (in MB) of the 4MB
> appender > log file before being rolled.
MaximumFile
Size
log4net > root The maximum number of backup 10

> appender > files that are kept before the oldest
MaxSizeRollB is erased
ackups
Vault.ini
The Vault parameter file, Vault.ini, contains all the information about the Vault that will be
accessed by CyberArk components. Each component that will access the Vault requires
a Vault.ini file of its own.
Note:
The semicolon (;) and hash (#) characters indicate the beginning of a remark. However,
if these characters appear between quotation marks (“”) or after an equals sign (=) they
are considered to represent a parameter.
CyberArk Viewfinity
21 Vault.ini
Parameter
Vault
Description The name of the Vault.
Acceptable Values String
Default Value None
Address
Description The IP address of the Vault.
Acceptable Values IP address
Default Value None
Port
Description The Vault IP Port.
Acceptable Values Number
Default Value 1858
Timeout
Description The number of seconds to wait for a Vault to respond to a command

before a timeout message is displayed.
Note:
If you change either the SYNC_INTERVAL_TIME in the
VaultConjurSynchronizer.exe.config or the TIMEOUT in
the Vault.ini parameters,
make sure TIMEOUT * 2 = SYNC_INTERVAL_TIME.
Default Value 60
ProxyAddress
Description The proxy server IP address. This is mandatory when using a proxy
server.
Acceptable Values IP address
Default Value None
ProxyPort
Description The Proxy server IP Port.
Default Value 8081
ProxyUser
Description User for Proxy server if NTLM authentication is required.
CyberArk Viewfinity
Parameter
Acceptable Values User name
Default Value None
ProxyPassword
Description The password for Proxy server if NTLM authentication is required.
Acceptable Values Password
Default Value None
ProxyAuthDomain
Description The domain for the Proxy server if NTLM authentication is required.
Acceptable Values Domain name
Default Value NT_DOMAIN_ NAME
BehindFirewall
Description Accessing the Vault via a Firewall.
Acceptable Values Yes/No
Default Value No
UseOnlyHTTP1
Description Use only HTTP 1.0 protocol. Valid either with proxy settings or with
BEHINDFIREWALL.
Default Value No
NumOfRecordsPerSend
Description The number of file records that require an acknowledgement from

the Vault server
Default Value 15
NumOfRecordsPerChunk
Description The number of file records to transfer together in a single TCP/IP

send/receive operation
Default Value 15
ReconnectPeriod
Description The number of seconds to wait before the sessions with the Vault is
re-established.
CyberArk Viewfinity
23 Vault.ini
Parameter
Default Value 1
EnhancedSSL
Description Whether or not to use an enhanced SSL based connection (port 443
is required).
Default Value No
PreAuthSecuredSession
Description Whether or not to enable a pre- authentication secured session.
Default Value No
TrustSSC
Description Whether or not to trust self-signed certificates in pre-authentication

secured sessions.
Default Value No
AllowSSCFor3 PartyAuth
Description Whether or not self-signed certificates are allowed for 3rd party
authentication (eg, RADIUS).
Default Value No
CIFSGateway
Description The name of the CIFS Gateway.
Acceptable Values String
Default Value None
HTTPGatewayAddress
Description The URL of the HTTP Gateway.
Acceptable Values URL
Default Value URL
CyberArk Viewfinity
Run Synchronizer
This topic describes how to run the Vault-Conjur Synchronizer.

1. Navigate to C:\Program Files\CyberArk\Synchronizer and double-click on
VaultConjurSynchronizer.exe
2. Go to <LOGS_FOLDER_PATH> and open the VaultConjurSynchronizer.log log
file to verify that Synchronizer is running without errors.
You can configure the log folder path under the LOGS_FOLDER_PATH parameter
in the VaultConjurSynchronizer.exe.config file.
Note:
The first sync might take some time.
CyberArk Viewfinity
25 Overview
Line of Business (LOB)
Overview
A line of business (LOB) represents a business group that requires access to secrets
from the Vault. This enables segregation of duty (SoD). The LOB facilitates the syncing
of accounts to Conjur.
This topic describes how to add and assign permissions to an LOB user.
Add an LOB
Note:
LOB Name cannot include special characters.
Add an LOB manually
Note:
You can use Postman for this step by running the following requests in the Line of
Business (LOB) folder:
Create LOBUser
Create an LOBUser Account
Add LOBUser to synchronized Safe
PrivateArk client
Go to Tools > Administrative Tools > Users and Groups > New > User and create
a Vault user for the LOB, provide a password for this user and update the following
values:
Tab Column Value
General User name LOBUser_<LOB name>
User type APPProvider
Authentication User Must Change Uncheck

Password at Next Logon
Password never expires Check
PVWA
1. Assign the Vault user LOBUser_<LOB name> as an owner of the Safes you would
like to sync with Conjur. The LOBUser_<LOB name> user require the following
CyberArk Viewfinity
permissions:
Role Permissions
Access Use accounts

Retrieve accounts
List accounts
Workfow Access Safe without confirmation

2. Create an account for the LOB User with the following configuration:
Parameter Value
Store in Safe ConjurSync
Device Type Application
Platform Name CyberArk Vault
Note:
Supported on Vault
version 5.0 and above
User Name LOBUser_<LOB name>
Address IP Address of the Vault
Password Password of LOBUser_<LOB name>
Name LOBUser_<LOB name>
Add an LOB using Postman

Run the following requests using Postman in the Line of Business (LOB) folder:
1. PVWA Logon
2. Create LOBUser
3. Add LOBUser to synchronized Safe
4. Create an LOBUser Account
5. PVWA Logoff
Note:
If you want to sync more than one safe with Conjur, send a separate Add LOBUser to
synchronized Safe request with the Safe name for each one.
Delete an LOB
To stop synching a particular LOB, do the following steps:
CyberArk Viewfinity
27 Supported LOBs
PVWA
2. Delete the LOBUser_<LOB name> user account from the ConjurSync safe.
PrivateArk client
Delete the LOBUser_<LOB name> user.
Synchronizer machine
1. Copy the <vault name>/<LOB name> policy from the POLICIES_FOLDER_
PATH folder to another location accessible to the Conjur CLI. Edit the following:
a. Replace all active-variables with inactive-variables.
b. Change all variables' ownership from !group lob_name-admins to !policy.
c. Add following permit lines to end of policy file:
- !permit
replace: true
role: !policy
privilege: [ read, execute ]
resources: *inactive-variables
2. Load the policy using the Conjur CLI:
conjur policy load <path_to_policy_file>
3. Delete the original policy file.
Supported LOBs
The Synchronizer can support up to 10 LOBs. If you initially add more than 10 LOBs, the
Synchronizer doesn't start and generates an error in the logs.
If you add LOBs after the Synchronizer started and the total number of LOBs exceeds 10,
the Synchronizer does not sync these additional LOBs and generates an error in the logs.
CyberArk Viewfinity
Conjur Policies
A Conjur policy enables you to define security rules in declarative files. These security
rules describe which users and services have privilege to access machines, or to get
secrets like passwords and API keys.
After the Synchronizer loads the LOB policies where Conjur variables are defined, you
can apply different Conjur delegation policies to provide permissions to the synced
variables to Conjur users, groups, hosts, and layers.
For example:
- !host
id: delegated-host
- !permit
role: !host delegated-host
privileges: [ read, execute ]
resources: [ !variable <variable-id> ]
To load the delegation policy, log in as the LOB administrator. To retrieve the API key of
the LOB administrator, log in to Conjur as the Conjur administrator and run the following
command:
conjur user rotate_api_key --user <lob name>-admin
For details on creating and loading Conjur policies, see Policy Guide.
CyberArk Viewfinity
29 Manage Single Accounts
Accounts and Safes
In this section:
Manage Single Accounts
Manage Dual Accounts
One-time Passwords and Exclusive Accounts
Manage Accounts and Safes During Synchronization
Manage Single Accounts

This topic describes how you can provision accounts in the Password Vault.
Provisioning methods
Methods Description
PVWA You can provision accounts individually in the Vault in the Add
Accounts page of the PVWA.
Accounts You can configure the CPM to scan an organizational network and
Feed– retrieve a list of accounts that have access to its computers and their
dependencies.
Provisioning You can detect and provision accounts automatically providing a full
Accounts life-cycle automatic management system for Windows accounts and
Automatically their services.
Web Service You can provision accounts using the AddAccount web service.
Bulk upload You can provision multiple accounts with the Password Upload utility.
For more information about these provisioning methods, see the Privileged Account
Security Implementation Guide Privileged Account Security Help Center.
Add an account in the PVWA

The following procedure describes how to add an account in the PVWA.
Add an account
1. Click ACCOUNTS to display the Accounts page.
2. Click Add Account; the Add Account page appears.
Note:
This button will only be displayed if you have the Add accounts, Update password
value, or update password properties authorization in at least one Safe.
CyberArk Viewfinity
3. From the Safe drop-down list, select the Safe where the account will be stored.
4. From the Device drop-down list, select the platform on which the new password is
used.
5. From the Platform Name drop-down list, select an active target platform.
6. Required or optional properties for the type of account that you have selected will
appear automatically, according to the definitions in the target platform
configurations.
7. Specify the required account properties and, if necessary, the optional account
properties.
Note:
To specify an IPv6 address, specify the global format, as shown in the following
example: 1000:1000:1000:1000:1000:1000:1000:0055
For a list of platforms that support automatic password management on IPv6, refer
to the Privileged Account Security System Requirements.
8. In the Password field, specify the password. Make sure this password meets your
enterprise password policy requirements.
9. In the Confirm Password field, specify the password again.
10. To generate a password name automatically, select Auto-generated. For more
information about naming passwords automatically, refer to Identifying Accounts in
the Privileged Account Security Implementation Guide.
11. To specify a password name, enter the name in the Custom field.
12. To disable automatic password management by the CPM for this password so that it
will be managed manually, select Disable automatic management for the
password. You can also enter a reason for doing this.
Note:
The CPM user must be an owner of the Safe where the password will be stored
and a platform name of an active target account platform must be specified in order
for the password to be managed by the CPM.
13. Click Save; the new account is added.

14. If the PVWA is configured to automatically change or verify passwords when they are
added, this will be done now. For more information about configuring this feature,
refer to Adding Accounts in the Privileged Account Security Implementation Guide.
15. The account is now created in the specified Safe and the new account details are
displayed in the Account Details page. If the specified password contains leading
and/or trailing white space character(s), a message appears in the Account Details
page indicating that they will automatically be removed.
16. Some platforms require additional information. You can specify this information in the
tabs in the Account Details page.
CyberArk Viewfinity
31 Manage Dual Accounts
Manage Dual Accounts

The Dual Accounts deployment method eliminates any edge case delays that may be
encountered when using the Single Account deployment method. Using the Single
Account deployment method, delays may be incurred in edge cases such as when a
password is requested exactly when CPM is changing that password. Using Dual
Accounts ensures no delays are incurred when the application needs credentials, since a
password that is currently used by an application will never be changed. This is especially
recommended in high loaded and critical applications.
Instead of relying on one privileged account for each application, the Dual Accounts
solution uses two privileged accounts that have identical privileges to the system,
database or application. One account is tagged as “active” while the other is “inactive”.
Using this method, the rotation of credentials is done on the “inactive” account, which
leaves the “active” account untouched until the rotation process has finished. The
application will continue to use the “active” account until credential rotation has finished,
and will then go on to use the newly changed account.
The password change process does not incur any delay in providing a password to an
application, since it is always done on the inactive account, thus, ensuring business
continuity. Once the inactive account password has been changed safely, the handoff
between the active and inactive accounts takes place by switching the status of the
accounts, from “inactive” to “active”, and vice versa. At all times, an active account
password is available and is never changed while in use by the application, which makes
the process seamless and safe.
The Dual Account solution introduces two new account properties that are used to
determine which accounts are valid for use at any given time.
Property Description
DualAccountStatus This property flags accounts as Active or Inactive. Dual

accounts pairs will always have one active account and one
inactive account.
VirtualUsername This property identifies two similar provisioned accounts in a dual

accounts pair under one virtual username.
On each target system, there must be two identical accounts (i.e. with the same
permissions), the dual accounts pair, that will be used by the application to connect to the
system. While in the Vault one account is tagged as active and the other account is
tagged as inactive (using the DualAccountStatus property), on the target system (e.g.
database), they are both enabled. CyberArk AIM does not enable or disable accounts on
target systems.
A typical example is when an application connects to a remote database. When using the
Dual Account solution, the database must have two identical accounts (the dual accounts
pair) which are identified by the “VirtualUsername” property.
Example:
The BillingApp application, regularly requests an account password from the
Credential Provider in order to connect to a DB2 database, located on 10.0.0.1.
CyberArk Viewfinity
When using the Dual Account solution, two accounts are required to reside on the DB2
database. Both accounts have the same value for their VirtualUsername property,
which links them and creates the dual accounts pair. These accounts will be used by the
BillingApp application to connect to the database when required. One account will
always be Active and one account be always be Inactive. The status will be updated
during a password change.
Note:
These two accounts must have the same permissions as the application will always use
one of these accounts to connect to the database
In this section:
Configure Dual Accounts

This topic describes how to configure Dual Account password management.
Configure support for dual accounts password management

To support rotation of the two accounts before a CPM Password Change, the two
accounts are grouped into a Rotational Group.
For details about the PAS functionality mentioned in this section, see the Privileged
Account Security Implementation Guide.
Prepare the Vault environment for dual account support
Note:
This step needs to be done once.
In the PrivateArk Client, add the following file categories to the Vault environment:
Category Type Description
CurrInd Numeric This file category is applied to the group account

and indicates the currently active account in the
Rotational Group context. The value matches an
account index (see below) in the Rotational Group.
Index Numeric This file categoryis applied to all accounts in the

Rotational Group. Accounts will be rotated in
ascending order according to their index.
DualAccountStatus List Valid Values: Active/Inactive
VirtualUsername Text A logical name that represents both accounts in the

Rotational Group.
Rotational group platform configuration

Configure the Platform that will be used by the Group Object.
CyberArk Viewfinity
Note:
Do this step for each Platform setting. If one Platform setting addresses all Dual
Accounts’ pairs and their needs, it may be reused.
In PVWA’s Platform Management:

1. Duplicate the Sample Password Group Platform template.
2. Rename the Platform to represent its purpose. For example, Rotational Policy.
3. Activate the Platform. Click Edit to configure the new p
4. Go to Target Account Platform > Automatic Password Management >

General. Edit the Platform’s PolicyType to RotationalGroup
CyberArk Viewfinity
5. Go to Target Account Platform Right-click Automatic Password Management

> Add additional Policy Settings Right-click Additional Policy Settings > Add
Parameters. Right-click Parameters > Add Parameter. Add a custom property to
the group, called GracePeriod
6. Set the GracePeriod parameter and value:

The GracePeriod value is the number of minutes between the rotation of roles
between the accounts (Active/Inactive) and the beginning of the password change
process for the current Inactive Account.
This enforces a delay that ensures there are no discrepancies between the account
being used by the application and the one having its password rotated.
It is recommended that the GracePeriod value is set to be 3 times longer than the
sync interval time (SYNC_INTERVAL_TIME) parameter of the Synchronizer.
Note:
In an environment where Dual Accounts is implemented for both AIM and Conjur,
set the value of the GracePeriod for both to which whichever value is higher.
CyberArk Viewfinity
The GracePeriod value is the number of minutes between the rotation of roles
between the accounts (Active/Inactive) and the beginning of the password change
process for the current Inactive Account.
This enforces a delay that ensures there is no discrepancies between the account
being used by the application and the one having its password rotated, similar to the
StartChangeNotBefore property used in single account management.
It is recommended that the GracePeriod value is set to be 3 times longer than the
CacheRefreshInterval of the Credential Provider. The CacheRefreshInterval
parameter is stored in the main configuration file in the vault.
7. Save the new Platform.
Configure the object’s platform for dual account support
Configure the Platform that will be used by the each of the Dual Accounts’ objects.
Note:
This step needs to be done for each Platform used by Dual Account objects.
Configure the object's platform

1. Go to Target Account Platform > UI & Workflow > Properties. Right-click
Optional . Add the following properties previously defined in the Vault:
Index
DualAccountStatus
VirtualUsername
2. Save the Platform.
Configure accounts and groups for dual accounts support
Note:
This step is done for each account that is used as Dual Account.
Configure for dual accounts support
1. Click to configure dual

account support.
CyberArk Viewfinity
2. Create the account object.
Note:
Both accounts must be created in the same Safe.
3. For each dual account, select Account Details > Edit to edit each the dual account
properties:
VirtualUsername Logical representation of the account pair. This value must be

the same on both accounts.
Index Ascending from 1
DualAccountStatus On the account with Index value ‘1’, set this value to ‘Active’.
Set the other account to ‘Inactive’.
4. On the CPM tab, click Create New or Modify to the account to a group:
Group Enter a group name. This should be the same for both accounts.
Platform Specify the Dual Account platform that you specified in the previous
Name step.
Set the index of the group object
Note:
This step is done once on the group object.
Set index
Using the PrivateArk Client, edit the group object (this can be found in the Group folder of
the Safe containing the Dual Accounts objects):
1. Right click the Group object.
2. Select Properties > File Categories
CyberArk Viewfinity
3. Add a file category called CurrInd with a value of 1. This indicates the index of the
account that is set as Active.
Account rotation flow

Under Rotational Group Platform Configuration
1. The CPM detects that the Rotational Group requires a password change, based on
its Platform settings.
2. DualAccountStatus of both accounts is switched between Active and Inactive.
3. The CurrInd of the Group is updated to the index of the Active account.
4. The Inactive account is marked for a password change.
5. Based on the GracePeriod property of the Rotational Group Platform, the password
change is delayed, allowing the Credential Provider to refresh its cache and start
working with the current Active account.
6. Once the grace period has ended, the CPM will initiate a password change task for
the Inactive account.
Configure the password change interval for dual accounts

The following section describes how to set the interval for an automatic password change
in the PVWA:
In Dual Account configuration, a password is changed only after the Account Rotation
process is completed and the GracePeriod has ended.
Therefore, to comply with your organizational password change policy, the following
formula can be used to calculate the password’s expiration period (Require password
change every X days) in the Rotational Group Platform settings:
Example:
There is an organizational audit requirement that passwords will be changed
every 30 days.
The Rotational Group has 3 members.
Set the expiration period of the Rotational Group to 10 days.
Set the interval for automatic password change in PVWA

1. Go to Administration > Platform Management > Rotational Policy > Edit >
Automatic Password Management > Password Change. Edit
PerformPeriodicChange to Yes.
2. Go to Policies > Master Policy > Password Management > Require password
change every X days Select Add Exception. Select <platform you created
earlier> > Next. Edit the value to the amount of days wanted.
CyberArk Viewfinity
Limitations
Account usages are not supported in automatic Dual Account configuration.
When initiating a manual password change on an account that is a member of a
Rotational Group, the "Synchronize the current account's password with the group's
password" radio button is not supported.
Selecting this option will cause the specific account’s password to be out of sync with the
Credential Provider cache.
One-time Passwords and Exclusive Accounts

The Synchronizer can retrieve accounts that have been configured for one-time
password access and exclusive accounts. However, the effects of interactive user usage
and application usage vary, as explained below.
Interactive usage of one-time passwords and exclusive

accounts
When one-time accounts are used, their password is changed after every usage, based
on the Master Policy. In addition, if Exclusive Access is enforced by the Master Policy, the
account is automatically locked during usage. For more information about one-time
passwords and exclusive access, refer to The Master Policy in the Privileged Account
Security Implementation Guide.
Application usage of one-time passwords and exclusive

accounts
Inherently, applications require passwords at a very high rate. Therefore, one-time
password workflows are not relevant when applications retrieve passwords. Similarly,
CyberArk Viewfinity
39 Manage Accounts and Safes During Synchronization
several applications in your organization may require the same account to be used at the
same time and, therefore, exclusive account workflows are not relevant either.
Nevertheless, it is possible for applications to use accounts that have been configured to
use one-time passwords and/or exclusive accounts. Unlike interactive user workflows,
one-time passwords that are retrieved by the Synchronizer do not trigger a password
change, nor will accounts be locked (if Exclusive Access is configured).
Interactive users may continue using these accounts at the same time as applications use
them. However, use by interactive users and applications concurrently will invoke
frequent password changes on accounts that have been configured for one-time access.
Password changes require the the Synchronizer to access the Vault in order to retrieve
the new password and introduce additional load.
If possible, it is recommended to separate accounts used by interactive users and
accounts used by applications.
Manage Accounts and Safes During Synchronization

This topic describes how to manage accounts and safes during synchronization.
Add an Account
1. Add an account to a synced safe (the LOB User is an owner of that safe)
2. In the next sync interval, the account is added to the LOB and corresponding
variables are created in Conjur.
3. After the variables are created and loaded, create a delegation policy and grant
permissions to hosts and users on the variables
Rename an Account
1. Give an account, that is synced to Conjur, a new name. (The LOB User is an owner
of the safe that the account is stored in.)
2. In the next sync interval, the renamed account is added to the LOB as a new account
and the variables are created in Conjur.
permissions to hosts and users for these variables.
Note:
The variables that correspond to the account before you renamed it are not deleted
from Conjur. For details, see Limitations , page 41
Add a Safe
1. Create a new safe with accounts and add the LOB User as an owner of that safe. Or
add the LOB User as an owner of an existing safe
2. In the next sync interval, the accounts are added to the LOB and the variables are
created in Conjur.
permissions to hosts and users on the variables
CyberArk Viewfinity
Rename a Safe
1. Give a safe that already syncs to Conjur a new name. The LOB User is an owner of
that safe.
2. In the next sync interval, the renamed safe's accounts are added to the LOB and the
variables are created in Conjur.
permissions to hosts and users on the variables.
The variables that correspond to the account before you renamed it are not deleted
from Conjur. For details, see Limitations , page 41.
Delete an Account or Safe

Deleting an account or a safe from a currently synced LOB is not supported. For details,
see Limitations , page 41.
CyberArk Viewfinity
Limitations
The following are a list of Synchronizer limitations:

High Availability is not supported
Synced Accounts per LOB
One LOB can support up to 10,000 accounts however, you can not exceed 20,00
accounts across all 10 LOBs.
Variable names are limited to 126 characters.
You cannot add a username to an account that has already been synced by the
Synchronizer. The username variable will not sync and an error message is written
to the log during each sync interval.
We support two accounts in a dual account group.
Disaster Recovery Vaults are not supported.
Distributed Vaults are not supported.
You should only change the account secret values in the Vault. If you change the
value in Conjur, unexpected behavior may occur.
The Synchronizer syncs accounts found in the root folder of the Safe. Accounts
located in sub-folders are not synced to Conjur.
Deleting an account or a safe from a currently synced LOB is not reflected in Conjur.
Variables and their values are not deleted in Conjur when you delete an account in
the Vault. This is also true for variables of accounts in a deleted safe. Therefore, we
recommend that the LOB admin revoke permissions for variables of the deleted
accounts after deleting them from the Vault.
Create a policy to revoke privileges:
- !permit
role: !policy lob-id
replace: true
privileges: [ read, execute ]
resources: [ !variable variable-to-delete ]
CyberArk Viewfinity
Logs
Synchronizer logs are located in <LOGS_FOLDER_PATH>. The logs folder contains

the trace log files that track the Synchronizer activity. The main log file is called
VaultConjurSynchronizer.log.
You can configure the log folder path under the LOGS_FOLDER_PATH parameter in
the VaultConjurSynchronizer.exe.config file. For details, see .
The following describes the log entry format:
[Date] [Thread ID] [Thread Context] [Debug Level] [Message]
Parameter Description
Date Time of the log entry.
Thread ID ID of thread that wrote the entry.
Thread The name of the LOB processed by the thread or main if outside the
Context context of the LOBs.
Debug The log root level. Logs are written from the selected level and above.
Level Valid values:
ALL
DEBUG
INFO
WARN
ERROR
FATAL
OFF
Message The log entry message.
CyberArk Viewfinity
Troubleshooting
This topic describes how to troubleshoot specific errors issued by the Synchronizer to the
Logs.
Issue Error code Resolution
Connection ITACM012S Increase the TIMEOUT parameter value

timeout to in the <Installation
the vault path>\Vault\Vault.ini file.
The default value is 60 seconds.
During VCSS004F The Synchronizer can support up to 10

Synchronizer LOBs. If you initially add more than 10
start up, the LOBs, the Synchronizer doesn't start and
number of generates an error in the logs.
LOBs
Verify the number of LOBs defined in the
exceeds 10
Vault is 10 or less.
After start VCSS001W If you add LOBs after the Synchronizer

up, the started and the total number of LOBs
number of exceeds 10, the Synchronizer does not
LOBs sync these additional LOBs and
exceeds 10 generates a warning in the logs
Verify the total number of LOBs defined in
the Vault does not exceed 10.
Could not CASSE001E If you change either the SYNC_

exclusively INTERVAL_TIME in the
lock Session VaultConjurSynchronizer.exe.config or
Instance the TIMEOUT in the Vault.ini)
parameters, make sure TIMEOUT * 2 =
SYNC_INTERVAL_TIME.
Conjur is VCSS007E LOBs that did not sync will sync during
overloaded the next interval.
because too
many LOBs
are being
synced
CyberArk Viewfinity

Vault

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vault

Uploaded by

Copyright:

Available Formats

Vault-Conjur Integration

How does it work?

In each sync interval the following steps are taken:

Account Variable representation

owner: !group lob_name-admins

Account Variable representation

owner: !group lob_name-admins

Dual account - !variable

owner: !group lob_name-admins

Account Variable representation

Non-CPM managed account Same as single account

PAS Version 9.5 or above

Conjur Version 4.9.8. For installation

Synchronizer Windows Server 2012 R2

Conjur server 4 Conjur Container: 8

Configure Vault components

Configure Vault component manually

General User name Sync_<Synchronizer

User type APPProvider

Authentication User Must Change Uncheck

Password never expires Check

Access Use accounts

Account Management Add accounts

Workflow Access Safe without confirmation

Advanced Create folders

Configure Vault components using Postman

Field Name Description Task Example

VaultIP IP of the Vault machine Config 1.1.1.1

PVWAUrl URL (including protocol) Config https://pvwa-

VaultUserName Vault Admin user name Config Administrator

Field Name Description Task Example

VaultPassword Vault Admin password Config Password123

ConjurServerDNS DNS name of the Conjur Config conjur-org

ConjurApplianceURL The appliance URL of Config https://conjur-

SynchronizerVaultUserna Specify a username Config Sync_

SynchronizerVaultUserInit Initial password for the Config InitPass123

SynchronizerConjurHostn Hostname of the Post host/Sync_

SynchronizerConjurHostA API Key of the Post ate3gjtr...ajkbr

LOBName Name of the LOB to Line of Lob1

Field Name Description Task Example

LOBUserPassword Specify a password Line of Password123

SafeToSync Name of the safe to Line of AutomationSa

File Category Name Type Required Category

Standard You will be asked to provide information throughout the installation

Silent The installation procedure is initiated either by a user or by a script, and is

3. Follow the installation prompts.

$username = "<Conjur admin username>"

3. Go to <installation directory>/Installation to edit the silent.ini file:

Parameter Description Default value

InstallationTargetPa Location to install the C:\Program

Parameter Description Default value

ConjurServerDNS Conjur server DNS, including port

VaultName The logical name for the CyberArk

VaultAddress Address of the CyberArk Vault

SynchronizerVault Username of the Synchronizer

ConjurCredentialsF Full path of the Conjur Admin

4. Open a Windows PowerShell window, navigate to <installation

Create a cred file for the Synchronizer's Vault user

1. After a silent installation, open a Windows PowerShell window, navigate to

Password /Username Sync_<Synchronizer machine hostname>

/Password <Synchronizer Vault User password> /ExePath

2. Move the output file to C:\Program Files\CyberArk\Synchronizer\Vault.

Add an account in the Vault for the Synchronizer's Conjur host

$credentials = Import-Clixml -Path