Installing and Configuring CyberArk Conjur Service Broker for PCF

This topic describes how to install and configure CyberArk Conjur Service Broker for Pivotal Cloud Foundry (PCF).

Install and Configure CyberArk Conjur Service Broker for PCF

  1. Download the CyberArk Conjur Service Broker for PCF product file from Pivotal Network.

  2. Navigate to the Ops Manager Installation Dashboard and click Import a Product to upload the product file.

  3. Under the Import a Product button, click + next to the version number of CyberArk Conjur Service Broker for PCF. This adds the tile to your staging area.

  4. Click the newly added CyberArk Conjur Service Broker for PCF tile.

  5. Click the Settings tab.

  6. Configure the side tabs. The tabs with orange circles require configuration. The others are optional.

  7. Click Save.

  8. Return to the Ops Manager Installation Dashboard and click Apply changes to apply the configuration changes and complete the installation of the CyberArk Conjur Service Broker for PCF tile.

  9. Use cf marketplace to verify availability of the community service named cyberark-conjur.

Assign AZs and Networks

Choose appropriate values to configure where to deploy CyberArk Conjur Service Broker for PCF.

Service Broker Configuration

This tab configures communication between the Service Broker and a Conjur appliance.

Conjur Service Broker Configuration tab

  • Conjur Account: The organization account assigned during Conjur appliance installation. If you are using the Try Conjur hosted Conjur instance for a proof of concept, the account is typically your email address.

  • Conjur Appliance URL: The URL of the Conjur appliance that you are connecting to. If you are using Try Conjur hosted Conjur, this is https://eval.conjur.org.

  • Conjur Follower URL (Optional): If using high availability in Conjur EE, this should be the URL for a load balancer that manages the cluster’s Follower instances. This is the URL that applications that bind to the service broker will use to communicate with Conjur.

  • Conjur Login: The fully-qualified ID of a Conjur host for the service broker.

    The Host must have create and update privileges on the dedicated Conjur policy for PCF that you enter in the PCF Conjur Policy Branch ID field. If you are not using a dedicated Conjur policy for PCF, this login Host must have create and update privileges on the Conjur root policy.

    This login is only used by the Service Broker to add and remove Hosts from Conjur policy as your applications are deployed to or removed from PCF.

    This entry should be of the form host/host-id, where host-id is the fully-qualified Conjur Host ID (e.g. host/pcf-service-broker). The host/ prefix indicates to the Conjur authenticator that these credentials belong to a Host, and not a User.

  • Conjur API Key: The API key of the Conjur Host whose identity you provided in the Conjur Login field.

    If the Host’s API key changes, update this field and click Apply Changes to continue using the Service Broker to bind applications. After binding, an application has its own credentials for connecting to the Conjur appliance.

    Note: The Conjur Host credentials configured here are available only to PCF admins. They are not generally accessible to users in PCF.

  • Conjur Version: Defaults to 5. Select 4 for Enterprise Conjur v4. Select 5 for Enterprise Conjur v5 or Open Source Conjur (including an evaluation Hosted Conjur).

  • PCF Conjur Policy Branch ID: The fully-qualified Conjur Policy ID of the dedicated Conjur policy for PCF that you created (e.g. pcf/production). Leave blank to default to the root policy (not recommended).

  • Enable Spaced-scoped App Identities

    When an application is bound to the Conjur service, it receives an identity in Conjur and credentials to authenticate to Conjur.

    Configure the service broker to either create a single Conjur identity shared by all applications in a space, or to create a Conjur identity for each application individually.

    In PCF version 2.0+, when the service broker creates the space or app identity, it automatically adds it to Conjur Layers representing the Organization and Space where the application is deployed. Use these layers to control secret access at the org or space level, instead of the application host itself.

    Space-scoped Identity
    If Enable Spaced-scoped App Identities option is selected, when a service instance is created in a space, the service broker creates a space-wide Conjur Host. When an application is bound to the service, the service broker gives it the credentials of the space identity, rather than create a new host identity for each application.

    The advantage to this approach is that the bind operation only requires access to a Conjur follower and not the Conjur master. This promotes high-availability and scalability of app binding and secret retrieval.

    If you use space host identities, only use the org and space layers to permit access to secrets. More information on this is available in the Using guide.

    Application-scoped Identity
    If Enable Spaced-scoped App Identities option is not selected, the service broker creates a new Conjur host identity for each application bound to the service requiring the service broker to communicate with the Conjur master for each bind request.

    The advantage to this approach is finer-grained access control and audit logs in Conjur.

    Application host identities may be permitted to access secrets at the org and space level or at the individual application level.

  • Conjur Certificate: The PEM encoded x509 certificate chain for the Conjur server.

    This certificate chain may be retrieved from the Conjur server using the command:

    $ openssl s_client -showcerts -servername [CONJUR_DNS_NAME] \
        -connect [CONJUR_DNS_NAME]:443 < /dev/null 2> /dev/null \
        | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    


    The certificate value should include the BEGIN CERTIFICATE and END CERTIFICATE lines:

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    

Click Save after providing the configuration values.

Buildpack Setttings

The tile installs the Conjur Buildpack, which enables your applications to leverage Summon to automatically inject secrets. The default settings are appropriate.

Service Access

If Enable global access to plans of service Conjur is checked, the Conjur service is available to all PCF users, across all orgs and spaces.

To configure more precise access control, uncheck this option and use cf enable-service-access to specify which orgs and spaces can access the Conjur service.

Errands

The CyberArk Conjur Service Broker for PCF tile does not add any errands.

Resource Config

The default settings are appropriate.

Apply Changes

After configuring the tile, finish the installation:

  • Navigate to the Ops Manager Dashboard
  • Click Review Pending Changes
  • Click Apply Changes
Create a pull request or raise an issue on the source for this page in GitHub