Prepare AWS image for Conjur deployment and configuration (Docker only)
CyberArk provides Amazon Machine Images (AMIs) for Conjur. The base operating system of the Conjur AMI is Amazon Linux 2. The AMIs are available for Docker only.
This section describes the steps needed to prepare and set up your AWS environment before deploying and configuring Conjur.
This section includes basic information about running EC2 instances based on the Conjur Enterprise AMI. It is not intended to be a comprehensive reference. |
Step 1: Request the Conjur AMI
If you use AWS, request the Conjur AMI. The AMI includes Conjur and Docker. Be sure to include your organization's AWS Account ID in the request.
CyberArk will share AMIs to your AWS account, and will guide you through launching the image.
Step 2: Launch EC2 instances
Perform the following steps for the Leader and Standby nodes:
-
From the EC2 dashboards, click Launch instance and select the Conjur AMI that your CyberArk support representative shared with your AWS account.
When the EC2 instance starts, the Conjur container starts automatically.
-
To launch the instance, follow the online instructions.
-
When you reach the Security Group configuration, open the following ports:
Leader/Standby
The following ports need to be open and accessible according to the following table.
Required ports for the Leader and Standbys From To Port Protocol Description Admin endpoint
Leader/Standby
22
TCP
SSH access
Port 22 is a suggestion. You can choose an alternative port.
Leader
Standby
5432
TCP
PostgreSQL replication
Required for data replication from the Leader to Standbys and Followers
Standby
Leader
5432
TCP
PostgreSQL replication
Required for data replication from the Leader to Standbys and Followers
Load balancer
Leader
5432
TCP
PostgreSQL replication
Required for data replication from the Leader to Standbys and Followers
Load balancer
Standby
5432
TCP
PostgreSQL replication
Required for data replication from the Leader to Standbys and Followers
Leader
Standby
443
TCP
Auto-Failover
Standby
Leader
443
TCP
Auto-Failover
Load balancer
Leader
443
TCP
TLS endpoint for Conjur UI and API Access
Load balancer
Standby
443
TCP
TLS endpoint for Conjur UI and API Access
Client
Load balancer
443
TCP
TLS endpoint for Conjur UI and API Access
Load balancer
Leader
1999
TCP
syslog-ng audit stream
Using syslog-ng, audit events are streamed from the Follower to the Leader
Load balancer
Standby
1999
TCP
syslog-ng audit stream.
Using syslog-ng, audit events are streamed from the Follower to the Leader
Load balancer
Leader
444
TCP
HTTP health endpoint
Simplifies load balancer setup
Load balancer
Standby
444
TCP
HTTP health endpoint
Simplifies load balancer setup
Follower
The following ports need to be open:
Required ports for Followers Port
Accessible from
Purpose
22
Local machine for setup / management
SSH access
Note: This specific port is not required by Conjur. You can choose an alternative port.
443
Load balancer
TLS endpoint for API
444
Load balancer
HTTP health endpoint
Simplifies load balancer setup
Step 3: Connect to the EC2 instance
Perform this step for the Leader and Standby nodes:
Once the EC2 instance for your Conjur Server is available, right-click the instance and connect using the AWS instructions.
The Conjur AMI is based on Amazon Linux 2, so the ec2-user
user is used for
SSH access.
Step 4: Add ec2-user to sudo group
Perform this step for the Leader and Standby nodes:
-
Connect to your node via SSH.
-
Run the following command:
$
sudo usermod -a -G docker ec2-user
-
Log off the node and log back on for the change to take effect.
Step 5: Managing the Conjur service
Amazon Linux 2 uses systemd as its init system.
The name of the service that runs the Conjur container is conjur
.
When upgrading or debugging Conjur, it is helpful to be able to manage the conjur
service. This can be done as follows:
# View service status $ # Start/stop/restart service $ $ $
|
Logging
Container logs are sent to the systemd journal, using Docker's journald logging driver.
To view the container's logs use journalctl
:
$
|
Because the AMI uses the journald
logging driver, docker logs
does not return the container's logs.
-
For Leader / Standby: Configure Conjur Leader
-
For Followers: Set up Follower