Troubleshoot data segregation

This section contains several procedures that can help you troubleshoot issues with data segregation.

Internal system user account

Determine whether the default user name for the internal account, system, is already in use in your environment. If another account named system already exists, you can use the --internal-account flag for the evoke configure master command to specify a unique name for this account. For more information, see Evoke command reference.

Inspect the status of your deployment

The following procedures can help you check the state of your deployment.

Inspect the existing state of your deployment

docker exec conjur-leader curl -k https://localhost/health | jq

View list of replication sets

docker exec conjur-leader evoke replication-set list

Inspect Follower and replication set health

docker exec conjur-follower curl -k https://localhost/health | jq

Check replication to Followers

1. Create and initialize the Follower CLI container:

   docker run -it --rm \
      --network conjur \
      --volume "$PWD/cli-follower:/root" \
      cyberark/conjur-cli:8 \
      init \
      --account my-org \
      --url https://conjur-follower

   docker run --rm \
      --network conjur \
      --volume "$PWD/cli-follower:/root" \
      cyberark/conjur-cli:8 \
      login \
      --id admin \
      --password "$(<admin_password)"

2. Retrieve the secret:

   docker run -it --rm \
      --network conjur \
      --volume "$PWD/cli-follower:/root" \
      cyberark/conjur-cli:8 \
      variable get secret-to-replicate
      echo

List system resources with cURL

curl -k -H "$(conjur authenticate -H)" \
   https://conjur-leader/resources/system

Issues after upgrade

If the upgrade procedure does not update the conjur.conf file with the data segregation configuration, add the following to /opt/conjur/etc/conjur.conf:

CONJUR_FEATURE_POLICY_LOAD_EXTENSIONS_ENABLED=TRUE
CONJUR_FEATURE_ROLES_API_EXTENSIONS_ENABLED=TRUE
CONJUR_EXTENSIONS=selective_replication

Error after Follower configuration

Run the evoke configure follower command only once on each node. If the Follower configuration process results in an error, remove the node and restart the process. Running the evoke configure follower command multiple times on a node will result in an incorrect configuration.