CyberArk Conjur

This article describes the steps required to integrate CyberArk Conjur with Hyperscience.

Configure CyberArk Conjur

To configure the CyberArk Conjur integration, follow the steps below:

  1. In CyberArk Conjur, create the policies, roles, and credentials for Hyperscience to use. Make sure to grant permissions to all variables that the application will use. To learn more, see CyberArk’s Policy Management and Conjur Default Authenticator.

  2. In v32 to v35.0.6, this is done by the secrets.yml file. See the “[v32 to v35.0.6] Configure secrets.yml” section below for more information.

  3. In v35.0.7 and later, a .secrets file can be used instead of secrets.yml. This file uses the same structure for variables as the “.env” file. For example, a typical variable in the .secrets file looks like this:

    FORMS_DB_PASS=hs/prod/db_password
  4. In the “.env” file, set the following environment variables to their appropriate values:

    CONJUR_APPLIANCE_URL=http://conjur.example.com:18080
    CONJUR_CERT_FILE=
    CONJUR_ACCOUNT=myConjurAccount
    CONJUR_AUTHN_LOGIN=host/examplehost.example.com
    CONJUR_AUTHN_API_KEY=

    To learn more about environment variables, see CyberArk’s Configuration documentation.

  5. Confirm that the tool works outside of Hyperscience.

  6. In the “.env” file, add the following variable and value:

    HS_SECRETS_MANAGER=conjur
  7. Restart the Hyperscience application with the following commands. Make sure that the commands work as expected.

    sudo bash run.sh init
    sudo bash run.sh --restart --clean
  8. Rotate the secrets and restart the application with the above commands again. Make sure that the Hyperscience application starts successfully upon restart. Depending on the version used, the secrets.yml or .secrets file maps any secrets to retrieve the appropriate environment variables.

[v32 to v35.0.6] Configure secrets.yml

The secrets.yml file defines a format for mapping an environment variable to a location where a secret is stored. There are no sensitive values in the secrets.yml file itself.

For example, a typical secrets.yml file looks like this:

FORMS_DB_PASS: !var hs/prod/db_password 

To learn more about secrets.yml, see Summon’s secrets.yml guide. Summon is a command-line tool that reads a file in secrets.yml format and injects secrets as environment variables into any process. You do not need to download Summon, as the tool is part of our CyberArk Conjur integration.