Scribd
Upload
224 views47 pages

CAU 02 Conjur - Fundamentals Installation

This document provides an overview of installing Conjur Secrets Manager, including system requirements and installing a high availability configuration. It recommends deploying a leader node, at least two standby nodes in the same fault zone as the leader, and additional standby nodes or followers in separate fault zones for disaster recovery. A load balancer is used to distribute traffic to the follower nodes and ensure availability. Digital certificates are required to secure communication between the nodes.

Uploaded by

Wowantus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
224 views47 pages

CAU 02 Conjur - Fundamentals Installation

This document provides an overview of installing Conjur Secrets Manager, including system requirements and installing a high availability configuration. It recommends deploying a leader node, at least two standby nodes in the same fault zone as the leader, and additional standby nodes or followers in separate fault zones for disaster recovery. A load balancer is used to distribute traffic to the follower nodes and ensure availability. Digital certificates are required to secure communication between the nodes.

Uploaded by

Wowantus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

Installation

This lesson provides installation overview for the


Conjur Secrets Manager solution.

Upon completion of this lesson the participant will


be able to:

Lesson ► Learn the system requirements and


prerequisites to install Conjur

Objectives ► Learn how to install a high-availability Conjur


Secrets Manager solution

► Learn how to verify system health

This presentation contains tables and diagrams with a lot of useful


2
information. As you view the module, note there are places where the
video will pause to allow you to review before proceeding.
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
Requirements

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Conjur System Requirements
• Linux Host Operating System
• Secure / Harden Linux based on industry
standards and container platform security
guidance

Conjur Software Distribution


• Packaged as container image
• Supports Leader, Standbys, and Followers
• AWS Amazon Machine Image (AMI) available

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
5

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Minimum Conjur Nodes App

– 1 Leader
App LB
– 2 Standbys
– 1 or more Followers (at least two recommended)
RECOMMENDED: deploy 2 Standbys in the same
fault zone as the Leader, and DR Standbys in
another remote fault zone Follower Follower

• One Standby is configured for synchronous AZ (DC) 3


replication to prevent data loss / Cloud

• Auto-failover cluster automatically selects the most


appropriate Standby to become the new LB Layer 4

synchronous Standby DR Standby

• All other Standbys participate in asynchronous


replication of the Leader. For these Standbys,
replication lags updates to the Leader
6
Standby
• Followers typically deployed with load balancer Standby Leader DR Standby

AZ (DC) 1 AZ (DC) 2
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
DOMAIN NAMES:
• Create fully qualified domain names (FQDN) Purpose
Fully Qualified Domain
IP Address Description
Name
• Avoid functionality in names (i.e. Standby)
• DNS name must not contain an underscore ( _ ) Load Balancer Load Balancer
conjur-prod.domain.com
• Domain names must be 63 character or less in length VIP (Cluster)

• DNS Server is required for auto-failover cluster.


Strongly recommended for manual failover cluster. Conjur1.domain.com Conjur Node1 IP Leader (Master)
Conjur
NETWORK: Cluster
conjur2.domain.com Conjur Node2 IP Standby1
• Configure level 4 load balancer
• Supports F5, AWS ELB, HAProxy, or other
conjur3.domain.com Conjur Node3 IP Standby2
• Used to coordinate PostgreSQL replication
• Must able to perform HTTP health checks Conjur- Load Balancer Load Balancer
Verify HTTPS (443) status on each node follower.domain.com VIP (Followers)

Or verify HTTP (444) status on each node Follower Node1


Followers follower1.domain.com Follower1
IP
SSL CERTIFICATE:
• Self-signed certificates included by default follower2.domain.com
Follower Node2
Follower2
7

IP
• Recommended to create third-party certificates
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
FOLLOWERS PURPOSE:
• Read-replica copy of Conjur Leader
• Server application secrets retrieval requests
• Based on “shared-nothing” architecture App conjur-follower1.corp.com

LOAD BALANCER: App LB Layer 4 or 7


• Placement in front of followers conjur-follower.corp.com

• Distribute HTTPS traffic between followers conjur-follower2.corp.com

RECOMMENDATIONS:
• Start with minimum of 2 followers
• Multiple groups of followers can be deployed with separate load balancers based on fault zones
• Auto-scale followers based on load based on CPU utilization
Scale-up when CPU usage beyond threshold
8
Scale-down when CPU drops below threshold

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


SSL Digital Certificate Requirements
CERTIFICATE PURPOSE:
• Secure communication between Conjur nodes
• Required for Conjur HA Cluster
SUPPORTED TYPES:
• Self-signed (included by default)
• Third-party signed (recommended)
CLUSTER CERTIFICATE:
• Shared certificate includes load balancer (CN)
and DNS names of each node (alternate
names)
FOLLOWERS CERTIFICATE:
• Shared certificate for all followers behind
same load balancer

More information on LOB and how to


create it:
Certificate requirements
Certificate architecture

cyberark.com
cyberark.com
This section describes how the Conjur components communicate with each other.

Open connection Open connection


Data replication - PostgreSQL Data replication - PostgreSQL
Stream - 5432 Stream - 5432 5432

Data Stream Data Stream Data Stream


Standbys Leader DR Standbys Leader

Audit forwarding - Syslog - 1999 1999

Open connection Data stream - 5432


Followers Data replication - PostgreSQL stream - 5432 LB Leader

API - HTTPs - 443 443

HTTPs response
Client / App Leader / Follower 10
LB

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


App App

Web Web
App App
conjur-follower-aws.corp.com conjur-follower.corp.com
Application Requests Application Requests
TCP 443 TCP 443

Follower Follower Follower


Follower

TCP 1999, 5432 TCP 1999, 5432


CLOUD DC1
conjur-
cluster.corp.com TCP 443/444, 1999, 5432
DC1 DC2

11
Standby TCP 443, 5432 Leader (Master) DR Standby DR Standby

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Definitions
TERM DESCRIPTION

The main Conjur node: A single Conjur Server instance that performs read/write operations.
Leader
It is primarily used to update policies and secrets.
Standby An inactive replica of the Leader, it gets promoted to a Leader if the original Leader fails.
A read only replica of the Leader. Followers allow secret reads at scale.
Conjur Follower Followers are horizontally-scaling components that are typically configured behind a load balancer to
handle all types of read requests, including authentication, permission checks, and secret fetches.
Conjur Cluster A group of Leader and Standbys.
A subgroup of the Conjur cluster. Nodes share their states with one another and can automatically
Auto-failover cluster
promote a Standby to become the Leader if the original Leader fails.
Manual failover cluster A Conjur cluster where the Standbys can get promoted to a Leader manually only.

Disaster Recovery Standby A Standby in a site outside the auto-failover cluster. If this Standby needs to be promoted to Leader,
(DR Standby) this can only be done manually.
When an operation is written to the Leader, the transaction is not completed until it is also performed
Synchronous Standby
on the synchronous Standby. This way the synchronous Standby is always up to date with the Leader.
(Sync Standby)
There can be only one synchronous Standby.
Asynchronous Standbys replicate from the Leader in an eventual consistency mode. Meaning that
Asynchronous Standby
based on load, availability and size of changes, there might be a delay until the data finishes 12
(Async Standby)
replicating.

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Definitions (Continued)
TERM DESCRIPTION

Region A physical location in a data center.

A region can be divided into one or more availability zones, An AZ is one or more data centers with
redundant power, networking, and connectivity. Compared with a single data center, AZs enable you
Availability zone (AZ) to operate production applications and databases that are better in terms of availability, fault
tolerance, and scalability. All AZs in a region are expected to be interconnected with high-bandwidth,
low latency networking.

Hardware security module A computing device that safeguards and manages digital keys, performs encryption and decryption
(HSM) functions for digital signatures, strong authentication, and other cryptographic functions.

An AWS service that supports creation and management of cryptographic keys and the control of
Key Management Service (KMS)
their usage.

A system that gives enterprise security professionals both insight into and a track record of the
Security Information and Event activities within their IT environment. A SIEM can collect and aggregate log data generated
Management (SIEM) throughout the organization’s technology infrastructure, from host systems and applications to
network and security devices.

13

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Docker Command
Review

14

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


docker run Start a container from an image

docker exec Run a command inside a container

docker restart Restart a running container

docker stop Stop a container

docker rm Remove a container

docker kill Kill one or more running containers

docker ps List running containers

docker cp Copy files to/from a container

View the logs (stdout) of a container


docker logs
To follow logs, add the -f option before the container name:
<container_name>
docker logs -f <container_name>
15

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Installation:
Leader

16

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Installation Workflow: Leader 1 Install/Secure Linux OS & Open
Ports/Protocols
PLAN 2 Create System Folders on Linux Host OS
3 Install Platform Software
4 Load Conjur Image Into Local Repository
INSTALLATION
5 Prepare Docker seccomp profile (Docker
and Podman only)
CONFIGURE 6 Start Conjur Container
7 Run Evoke to Configure Conjur as Leader
8 Import Third-Party SSL Certificates
IMPLEMENT
(optional)
9 Encrypt Server Keys (optional)
ACTIVATE 10 Verify Configuration / Health 17

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Prepare Linux Host
Operating System
• Install Linux OS (virtual or
physical)
• Securely harden using
industry standards along with
container platform security
guidance
• Ensure all required
networking ports and
protocols are available and
accessible
18

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Prepare Linux Host
Operating System
• Install Linux OS (virtual or
physical)
• Securely harden using
industry standards along with
container platform security
guidance
• Ensure all required
networking ports and
protocols are available and
accessible
19

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Prepare Linux Host Operating System
• If mounting volumes between host OS and Docker,
it is recommended to create dedicated folders
• Simplify process of getting configuration data into
each container running the Conjur nodes
– Configuration
– Seed Files
– Audit & Logging
– Backups
– Security Profiles
Create System Folders:
mkdir –p
/opt/cyberark/conjur/{security,config,backup
20
,seeds,logs}

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Docker Engine Installation (RHEL/CentOS)
• Conjur is packaged as a container image
# Install Docker Engine
• Each node should run on a separate machine $ sudo yum install docker
• User running container must have root privileges
# Enable Docker Engine on Boot
Install Docker Engine: $ sudo systemctl enable docker
sudo yum install docker
# Start Docker Engine
Enable Docker Daemon on Boot: $ sudo systemctl start docker
sudo systemctl enable docker
# Verify Docker Engine Functionality
Start Docker Services: $ sudo docker run hello-world
sudo systemctl start docker Status: Downloaded newer image for hello-
Verify Docker is Functioning: world:latest
sudo docker run hello-world Hello from Docker!
NOTE:
If you want to avoid using sudo command to run docker,
21
add the desired user accounts to the docker group. Run
the following command: sudo usermod -aG docker
<username> cyberark.com
cyberark.com
Conjur image is loaded into the local Docker
Engine Repository for ease of access and
starting the Conjur container

• Load Image:
docker load -i conjur-
appliance_<version>.tar
• View / Verify Image Loaded:
docker images

22

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Secure computing mode (seccomp) is a Linux kernel
feature. You can use it to restrict the actions available
within the container. You can use this feature to
restrict your application’s access. Docker Security Profile Details:
https://docs.docker.com/engine/security/seccomp/
• Load security profile at container run-time using the
following optional parameter when using the
docker run command
--security-opt Docker Security Profile Example:
seccomp=/path/seccomp/profile.json https://docs.cyberark.com/Product-
Doc/OnlineHelp/AAM-
DAP/Latest/en/Content/Deployment/platforms/doc
• For TEST / DEV environments using ker-sec-profile.htm
seccomp=unconfined parameter setting is
acceptable
--security-opt seccomp=unconfined 23

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Create Leader/Standby Container
• Each Conjur node requires a separate container
created and running
• Leader & Standby nodes are identical.
Followers are slightly different
• Syntax varies based on version

Create Conjur Leader/Standby Container:


docker run --name <container-name> -d --
restart=unless-stopped --security-opt
seccomp:<profile> -p "443:443" -p "444:444“ –
p "5432:5432" -p "1999:1999“ --log-driver
journald –v <host path>:<container
path>:<options> registry.tld/conjur-
appliance:<version>

Verify Docker Container Created: 24

docker ps
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
• Must accept end user license agreement (EULA)
• Use --master-altnames to configure each node
(Leader/Standby) listed in comma-separated format
• Password must be 12-128 characters and include 2
upper/lower letters, 1 digit, and 1 special character

Initialize Conjur Variables:


containerName=<container-name>
clusterName=<cluster-load-balancer-dns>
conjur1=<leader-dns>
conjur2=<standby1-dns>
conjur3=<standby2-dns>
password=$(openssl rand -hex 8)
account=<account-name>

Run Evoke to Configure Conjur:


docker exec $containerName evoke configure
master --accept-eula --hostname $clusterName
--master-altnames
“$conjur1,$conjur2,$conjur3” --admin-password 25
$password $account

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Import SSL Digital Certificates
• Self-signed certificates are generated by default
• Recommend importing third-party certificates
• Conjur services on Leader stopped/restarted during import

Create directory and copy all certificates into the Leader container:
docker exec <container-name> mkdir -p <path to be created in container>
docker cp <path on host> <container-name>:<path in container>

On the Leader container, import the Root/CA certificate:


docker exec <container-name> evoke ca import --no-restart --force --root <root-ca-cert>

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


On the Leader container, import Leader cluster key file and certificate:
docker exec <container-name> evoke ca import --no-restart --key <master-key-file> --set
<master-server-cert>

On the Leader container, import key file and certificate pairs of Follower load balancers:
docker exec <container-name> evoke ca import --no-restart --key <key-file-name> <server-cert-
name>

Restart the Conjur services:


docker exec <container-name> sv restart conjur nginx pg seed

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Encrypt Server Keys (Leader)
Strongly recommended to encrypt server keys (data key,
Conjur UI key, and SSL keys) with a leader key
• Choose Encryption Method:
Native Key, HSM, or AWS KMS
• Generate Encryption Key: (on Leader host machine)
openssl rand 32 > <file-path>/master.key
• Copy Encryption Key: (from Leader host machine)
docker cp <file-path>/master.key <leader-
container>:/etc/conjur-secrets/master.key
• Encrypt Server Key:
docker exec <leader-container> evoke keys
encrypt /etc/conjur-secrets/master.key
• Unlock Server Key for Conjur Access:
docker exec <leader-container> evoke keys
unlock /etc/conjur-secrets/master.key 28

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
{
Conjur provides RESTful API to verify “services”: {
“ldap-sync”: “disabled”,
system health “ui”: “ok”,
“possum”: “ok”,
“ok”: true
},
• Verify Health (cluster) – “database”: {
“ok”; true,
Browse to URL: “connect”: {
“main”: “ok”
https://<cluster-load-balancer- },
dns>/health “free_space”: {
“main”: {
“kbytes”: 40749192,
“inodes”: 3245299
• Verify Health (individual node) – },
}

Browse to URL: “replication_status”: {


“pg_current_xlog_location”: “0/1803F18”,
https://<conjur-node-dns>/health “pg_current_xlog_location_bytes”: 25181976
}
},
“ok”: true
}

29

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Installation:
Standby

30

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Installation Workflow: Standby 1 Install/Secure Linux OS & Open
Ports/Protocols
PLAN 2 Create System Folders on Linux Host OS
3 Install Platform Software
4 Load Conjur Image Into Local Repository
INSTALLATION
5 Prepare Docker Security Profile
(seccomp)
CONFIGURE 6 Start the Conjur Container
7 Run Evoke to Create Seed File for
Standby
IMPLEMENT
8 Run Evoke to Configure Conjur as
Standby
9 Enable & Start Cluster Replication 31
ACTIVATE

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Steps 1 - 6: Repeat Same as Leader

32

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Create Seed File (Standby)
Seeding a cluster node (Standby/Follower) involves copying
a seed file from the Leader to the cluster node, and then
unpacking the seed file

• Streaming via SSH


ssh -i "<path-leader.pem>" <user@leader-dns>
"sudo docker exec <leader-container> evoke
seed standby <standby-dns> <leader-dns>" |
ssh -i "<path-standby.pem>" <user@standby-
dns> "sudo docker exec -i <standby-container>
evoke unpack seed -“

• Manual Method
1. (leader) docker exec <leader> evoke seed
standby <standby-dns> <leader-dns> >
/tmp/standby.tar
2. (leader) docker cp
<leader>:/tmp/standby.tar .
3. (standby) docker cp ./standby.tar
<standby>:/tmp 33
4. (standby) docker exec <standby> evoke
unpack /tmp/standby.tar
cyberark.com
cyberark.com
Configure Conjur Standby Servers
Command syntax varies depending on if server keys With Server Key Encryption
are encrypted or not

• Configure Standby with Encryption:


docker exec <standby-container> evoke
keys exec -m <path-master-key> -- Without Server Key Encryption
evoke configure standby

• Configure Standby without Encryption:


docker exec <standby-container> evoke
configure standby

34

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Enable & Start Conjur Cluster Replication
• Synchronous replication ensures all database
writes are written to the Leader and at least on
Standby
• Protects against data loss in event Leader fails

Enable Cluster Replication (Synchronous Standby):


docker exec <leader-container> evoke
replication sync start

35

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Installation:
Follower

36

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Installation Workflow: Follower 1 Install/Secure Linux OS & Open
Ports/Protocols
PLAN 2 Create System Folders on Linux Host OS
3 Install Platform Software (Docker Engine)
4 Load Conjur Image Into Local Docker
INSTALLATION
Repository
5 Prepare Docker Security Profile
(seccomp)
CONFIGURE
6 Run Docker to Create the Conjur
Container
IMPLEMENT 7 Run Evoke to Create Seed File for
Follower
8 Run Evoke to Configure Conjur as
37
ACTIVATE Follower
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
Steps 1 - 5: Repeat Same as Leader

38

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Create Follower Container
• Each Conjur node requires a separate container created
and running
• Leader & Standby nodes are identical. Followers are
slightly different
• Syntax varies based on version

Create Conjur Follower Container


docker run --name <container-name> -d --
restart=unless-stopped --security-opt
seccomp:<profile> -p "443:443" -p
"444:444“ --log-driver journald –v <host
path>:<container path>:<options>
registry.tld/conjur-appliance:<version>

Verify Docker Container Created


docker ps 39

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Create Seed File (Follower)
Seeding a cluster node (Standby/Follower) involves copying a
seed file from the Leader to the cluster node, and then
unpacking the seed file

• Streaming via SSH


ssh -i "<path-leader.pem>" <user@leader-dns> "sudo
docker exec <leader-container> evoke seed follower
<follower-dns> <leader-dns>" | ssh -i "<path-
follower.pem>" <user@follower-dns> "sudo docker exec
-i <follower-container> evoke unpack seed -“

• Manual Method
1. (leader) docker exec <leader> evoke seed
follower <follower-dns> <leader-dns> >
/tmp/follower.tar
2. (leader) docker cp <leader>:/tmp/follower.tar .
3. (follower) docker cp ./follower.tar
<follower>:/tmp
40
4. (follower) docker exec <follower> evoke unpack
/tmp/follower.tar
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
Configure Conjur Follower Servers
• No command syntax difference when using With or Without Server Key Encryption
server key encryption

Configure Follower:
docker exec <follower-container>
evoke configure follower

41

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Conjur
Server Status

42

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Verify Server Status from UI
• Authenticate to Conjur UI
using an admin credential,
then select the settings icon
in top right corner of the UI
• Select Conjur Cluster from
the menu

43

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Verify Server Status from
Conjur CLI
• Verify Conjur Server Health
from Docker Container
docker exec
<conjur_container> curl -s -k
https://localhost/health

• Verify Conjur Server Health


from Network
curl -s -k --cacert
<cert.pem>
https://<conjur>/health

44

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Summary

45

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


In this session we discussed:

• Conjur System Requirements

• Install Conjur Secrets Manager solution

• Conjur Health Status

We recommend that you now carry out


the section of the lab exercise guide
associated with this lesson

46

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Thank You

47

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

You might also like