Vault Synchronizer with CyberArk Vault

CyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur (Conjur) expands CyberArk's Privileged Access Management solution to the DevOps space and to modern and dynamic environments. Secrets that are stored and managed in the Vault can now be shared with Conjur and used via its clients, APIs, and SDKs to enhance security and reduce risks for the DevOps environments, including CI/CD pipelines, containerized applications, and cloud platforms.

The integration between the Enterprise Password Vault ® (EPV) and Conjur provides Security, IT, and DevOps teams with a common platform to enforce privileged access security policies on all platforms - on-premises/cloud/DevOps - to form a consistent, unified enterprise-wide Privileged Privileged Access Management Program.

Solution benefits

CyberArk's Digital Enterprise Password Vault ® (EPV) integration with Conjur provides the following benefits:

  • Enables CyberArk customers who store and manage their secrets in the Enterprise Password Vault ® (EPV) to benefit from Conjur's capabilities to provide secrets in dynamic and ephemeral environments and containers.

  • Enable central policy enforcement for DevOps use cases, such as rotation, monitoring, and auditing.

How does it work?

An LOB represents a business group that requires access to secrets from the Vault. This enables segregation of duty (SoD). The LOB facilitates the syncing of accounts to Conjur.

  1. The Vault Admin creates LOB users and grants them ownership to specific Safes. These LOBs facilitate the syncing of accounts to Conjur.

  2. The CyberArk Vault Synchronizer service (Synchronizer) retrieves the accounts for these LOBs.

  3. The Synchronizer generates a policy for these LOBs that contains the secrets defined as variables, and loads them to Conjur.

  4. The Synchronizer syncs the accounts to Conjur as Conjur variables.

  5. The Conjur admin creates and loads a policy that delegates users and hosts permissions to the variables.

    During each sync interval, the Synchronizer repeats step 2 and, if needed, steps 3 and 4.

Synchronizer flow

The Synchronizer syncs secrets from accounts in the root folder of Safes that are owned by the LOB user. The Synchronizer uses two types of synchronization intervals: a general sync, which refreshes new and updated accounts, and a full sync, which refreshes all accounts, including accounts that have been deleted or moved. By default, the general sync occurs every minute and the full sync occurs every hour.

The Synchronizer supports most account types. To learn more about single and dual accounts, see Accounts and Safes.

Accounts used on Service Account platforms are not synced.

Full sync flow

  1. The Synchronizer user retrieves all LOB User accounts from the Synchronizer Safe in intervals of half the time defined in the GENERAL_SYNC_INTERVAL_TIME parameter.

    If there is a new LOB, the Synchronizer generates the policy and loads it to Conjur.

    If multiple LOBs own the same Safe, a set of variables representing the accounts are created for each LOB in Conjur.

  2. The Synchronizer runs in intervals as defined in the VaultConjurSynchronizer.exe.config file in the FULL_SYNC_INTERVAL_TIME parameter. By default, this occurs every 60 minutes. This process syncs the LOB owned Safes with Conjur.

    If the synchronization process does not finish before the next scheduled general sync interval, subsequent sync intervals for this LOB are skipped until the running synchronization is complete.

  3. If an account is added to a synced Safe, or if a new Safe was added or assigned to the LOB User, then the new accounts are synced to Conjur in the next sync interval. The Synchronizer first refreshes changes in currently synced secrets and then adds the new accounts to Conjur, so ongoing changes are updated as soon as possible.

    All accounts are synchronized during the full sync, but because the general sync occurs more frequently, the full sync is less likely to synchronize new and updated accounts.

  4. If enabled, safes and accounts that are no longer available in the Vault are deleted from Conjur during the full sync. By default, this occurs every 60 minutes.

    By default, this feature is disabled. For more information, see Delete accounts/Safes.

General sync flow

  1. The Synchronizer user retrieves new and updated LOB User accounts from the Synchronizer Safe in intervals of half the length of the GENERAL_SYNC_INTERVAL_TIME parameter.

    If multiple LOBs own the same Safe, a set of variables representing the accounts are created for each LOB in Conjur.

  2. The Synchronizer runs in intervals as defined in the VaultConjurSynchronizer.exe.config file in the GENERAL_SYNC_INTERVAL_TIME parameter. By default, this occurs every one minute. This process syncs the LOB owned Safes with Conjur.

    If the synchronization process does not finish before the next scheduled sync interval, subsequent sync intervals for this LOB are skipped until the running synchronization is complete.

  3. If an account is added to a synced Safe, the new account is synced to Conjur in the next sync interval.

    Accounts that are deleted or moved are not synchronized during the general sync.

System requirements

For information about the Vault Synchronizer system requirements, see System requirements for CyberArk Vault Synchronizer.

Setup options

This section describes the options for setting up the synchronization between the Vault and Conjur.

Single Vault to single Conjur cluster

In this set up, a single Vault Synchronizer syncs between one Vault and one Conjur cluster.

Multiple Vaults to single Conjur cluster

Using multiple Synchronizer instances with a single Conjur deployment can improve sync performance.

Use this setup if you have multiple Vaults with secrets that need to be retrieved from PAM - Self-Hosted. This requires setting up a different Vault Synchronizer for each Vault. For maximum Vault and Conjur performance, we recommend synchronizing up to 3 Vaults.

Single Vault to multiple Conjur clusters

Use this setup for segregating Vault accounts and replicating them to different Conjur clusters. This requires setting up a different Vault Synchronizer for each Conjur cluster. For maximum Vault and Conjur performance, we recommend syncing up to 5 Conjur clusters.

Multiple Synchronizer instances for one Vault and one Conjur cluster

Using multiple Synchronizer instances with a single Conjur deployment can improve sync performance.

Use this setup to configure multiple Synchronizer instances to synchronize different Safes within a single Vault and a single Conjur cluster. You can configure each Synchronizer to synchronize different properties for a specific subset of Safes. For example, you might configure one Synchronizer to handle Safes with the default setting to synchronize username and password properties only and configure the other Synchronizer to handle Safes where all properties are synchronized.

Audits

Audit records are stored in the Enterprise Password Vault ® (EPV) and in Conjur. The Vault Synchronizer does not maintain audit records.