During the previous days CyberArk has released the version 13.0 of Conjur enterprise.
What's new? Who should consider to upgrade and why?
I've published an article about this themes here inside the SIGHUP blog.
During the previous days CyberArk has released the version 13.0 of Conjur enterprise.
What's new? Who should consider to upgrade and why?
I've published an article about this themes here inside the SIGHUP blog.
CyberArk Conjur is released as an appliance and shipped as container images to have a fast setup without errors.
The supported container runtimes are the following:
Working on several Conjur environments inside our labs or customers we have noted that logs rotation (conjur, nginx, cluster, etc) wasn't performed on podman but that was working correctly on Docker.
After some investigation with the beloved CyberArk support team, we found the solution:
conjur container needs to be re-created adding the capabilities AUDIT_WRITE :
podman run \ ... --cap-add AUDIT_WRITE \ ... registry.tld/conjur-appliance:12.9.0
To avoid some noise inside the nginx logs it's also required to add the following permission inside every Conjur container:
chmod 701 /opt/cyberark/dap/log/nginx
The CyberArk support team was great as usual to assist us and to work together to find the solution.
These issues are now tracked on the CyberArk docs and should be addressed soon.
In case you had the same issue I recommend to contact the CyberArk support to get confirmation if this solution could apply also to your environment.
I believe it's important to start with a premise:
in this article I'll spoke about a product/service built and offered by my actual employer, SIGHUP.
Nobody from my company asked me to publish this blogpost here, this are my honest opinion about Secure Containers.
Secure Containers is a service with a fee, built by SIGHUP that brought container base image secure, hardened and updated.
Developer work with containers and images, compared to the past, offer several advantages like standardisation, automation, and a faster release time.
One of the underestimated aspects of working with containers, is that it's necessary to start from basic images that must be chosen with due caution in order not to run into one or more of the following issues:
It is clear that having constantly updated base images, which contain the least number of CVEs possible, is important because any problems, once my software has been deployed, are replicated in the container which we then find running in production environments.
Keeping the base images updated and secure is therefore a non-negligible activity, which becomes a task that must be adequately followed by someone in the company, removing them from other tasks.
Here Secure Containers service can help with the following advantages:
If you are interested in Secure Containers, please read the dedicated site to find more info and FAQ where you have also the possibility to enable a free trial of the service.
If you like to read more about the security of container base images, check this article where I'll explain this topic deeper.
Being able to work safely in cybersecurity requires knowledge, attention to detail, and a good software portfolio to rely on.
One of the tools that I've learned and used during the last months is Snyk.
Call Snyk tools is not correct because it's a security platform with a series of tools that could operate on every code built:
During this period working on a CyberArk Conjur environment, we experienced a strange behavior during Conjur follower setup.
The setup on the follower was starting, the seed received, imported, and expanded but after some other steps the process was hanging and ending with a generic "System Error".
After the error message, the Conjur follower was restarted.
We did some troubleshooting inside the Conjur Follower pod and we have verified that the Follower was able to connect to the Conjur API leader successfully but it wasn't able to connect to the Postgres database and finish the initial replication.
The correct way to verify the Postgres connectivity from the follower to the leader is the following command:
echo "" | openssl s_client -starttls postgres -connect <lb_DNS>:5432 -showcerts
As you know one of the piace of Cybeark Conjur architecture is Synchronizer which is needed to receive the secrets from the VAUL.
Last week, I took charge of an abandoned Synchronizer 11.7 that was not working for a while and needed also to upgrade to the newest 12.7.
After the upgrade (check this link for the steps ), the windows service was unable to start and the log contained the following error:
[5] [main] FATAL VaultConjurSynchronizer.Service.SynchronizerService - VCSS006F Failed to start CyberArk Vault-Conjur Synchronizer Service: CASVM035E Vault name is missing.
After a search on google, we were pointed to the CASOS log error for the VAULT where documentations suggest calling CyberArk support .
Luckily in the case of a Synchronizer, we fixed it easily by editing the file
C:\Program Files\CyberArk\Synchronizer\VaultConjurSynchronizer.exe.config
where the value of the key INTEGRATION_VAULT_NAME. was blank, after we have filled it with the vault name (present in vault.ini) the service was able to run again correctly and the secrets sync was made.
As you probably know CyberArk has a big annual event named Impact, and this year was run in Boston.
Over the past weeks, CyberArk has announced a great initiative named CyberArk Impact world tour that will be hosted in several cities around the globe.
If you are interested, here on this page you could find all the details:
Personally, I'll attend the one in Milan scheduled for the 11th of October 2022.
I'm excited to have this opportunity to follow some interesting sessions and meet interesting people in person, see you there!