Prepare AWS image for Conjur deployment and configuration (Docker only)

CyberArk provides Amazon Machine Images (AMIs) for Conjur. The base operating system of the Conjur AMI is Amazon Linux 2. The AMIs are available for Docker only.

This section describes the steps needed to prepare and set up your AWS environment before deploying and configuring Conjur.

 

This section includes basic information about running EC2 instances based on the Conjur Enterprise AMI. It is not intended to be a comprehensive reference.

Step 1: Request the Conjur AMI

If you use AWS, request the Conjur AMI. The AMI includes Conjur and Docker. Be sure to include your organization's AWS Account ID in the request.

CyberArk will share AMIs to your AWS account, and will guide you through launching the image.

Step 2: Launch EC2 instances

Perform the following steps for the Leader and Standby nodes:

  1. From the EC2 dashboards, click Launch instance and select the Conjur AMI that your CyberArk support representative shared with your AWS account.

    When the EC2 instance starts, the Conjur container starts automatically.

  2. To launch the instance, follow the online instructions.

  3. When you reach the Security Group configuration, open the following ports:

    Leader/Standby

    The following ports need to be open and accessible according to the following table.

    Required ports for the Leader and Standbys
    From To Port Protocol Description

    Admin endpoint

    Leader/Standby

    22

    TCP

    SSH access

    Port 22 is a suggestion. You can choose an alternative port.

    Leader

    Standby

    5432

    TCP

    PostgreSQL replication

    Required for data replication from the Leader to Standbys and Followers

    Standby

    Leader

    5432

    TCP

    PostgreSQL replication

    Required for data replication from the Leader to Standbys and Followers

    Load balancer

    Leader

    5432

    TCP

    PostgreSQL replication

    Required for data replication from the Leader to Standbys and Followers

    Load balancer

    Standby

    5432

    TCP

    PostgreSQL replication

    Required for data replication from the Leader to Standbys and Followers

    Leader

    Standby

    443

    TCP

    Auto-Failover

    Standby

    Leader

    443

    TCP

    Auto-Failover

    Load balancer

    Leader

    443

    TCP

    TLS endpoint for Conjur UI and API Access

    Load balancer

    Standby

    443

    TCP

    TLS endpoint for Conjur UI and API Access

    Client

    Load balancer

    443

    TCP

    TLS endpoint for Conjur UI and API Access

    Load balancer

    Leader

    1999

    TCP

    syslog-ng audit stream

    Using syslog-ng, audit events are streamed from the Follower to the Leader

    Load balancer

    Standby

    1999

    TCP

    syslog-ng audit stream.

    Using syslog-ng, audit events are streamed from the Follower to the Leader

    Load balancer

    Leader

    444

    TCP

    HTTP health endpoint

    Simplifies load balancer setup

    Load balancer

    Standby

    444

    TCP

    HTTP health endpoint

    Simplifies load balancer setup

    Follower

    The following ports need to be open:

    Required ports for Followers

    Port

    Accessible from

    Purpose

    22

    Local machine for setup / management

    SSH access

    Note: This specific port is not required by Conjur. You can choose an alternative port.

    443

    Load balancer

    TLS endpoint for API

    444

    Load balancer

    HTTP health endpoint

    Simplifies load balancer setup

Step 3: Connect to the EC2 instance

Perform this step for the Leader and Standby nodes:

Once the EC2 instance for your Conjur Server is available, right-click the instance and connect using the AWS instructions.

The Conjur AMI is based on Amazon Linux 2, so the ec2-user user is used for SSH access.

Step 4: Add ec2-user to sudo group

Perform this step for the Leader and Standby nodes:

  1. Connect to your node via SSH.

  2. Run the following command:

     
    $ sudo usermod -a -G docker ec2-user
  3. Log off the node and log back on for the change to take effect.

Step 5: Managing the Conjur service

Amazon Linux 2 uses systemd as its init system. The name of the service that runs the Conjur container is conjur. When upgrading or debugging Conjur, it is helpful to be able to manage the conjur service. This can be done as follows:

 
# View service status
$ systemctl status conjur
# Start/stop/restart service
$ sudo systemctl start conjur
$ sudo systemctl stop conjur
$ sudo systemctl restart conjur

Logging

Container logs are sent to the systemd journal, using Docker's journald logging driver.

To view the container's logs use journalctl:

 
$ journalctl CONTAINER_NAME=conjur-appliance

Because the AMI uses the journald logging driver, docker logs does not return the container's logs.