Installing and Configuring CyberArk Conjur Service Broker for PCF

This topic describes how to install and configure CyberArk Conjur Service Broker for Pivotal Cloud Foundry (PCF).

Install and Configure CyberArk Conjur Service Broker for PCF

  1. Download the CyberArk Conjur Service Broker for PCF product file from Pivotal Network.

  2. Navigate to the Ops Manager Installation Dashboard and click Import a Product to upload the product file.

  3. Under the Import a Product button, click + next to the version number of CyberArk Conjur Service Broker for PCF. This adds the tile to your staging area.

  4. Click the newly added CyberArk Conjur Service Broker for PCF tile.

  5. Click the Settings tab.

  6. Configure the side tabs. The tabs with orange circles require configuration. The others are optional.

  7. Click Save.

  8. Return to the Ops Manager Installation Dashboard and click Apply changes to apply the configuration changes and complete the installation of the CyberArk Conjur Service Broker for PCF tile.

  9. Use cf marketplace to verify availability of the community service named cyberark-conjur.

Assign AZs and Networks

Choose appropriate values to configure where to deploy CyberArk Conjur Service Broker for PCF.

Service Broker Configuration

This tab configures communication between the Service Broker and a Conjur appliance.

Conjur Service Broker Configuration tab

  • Conjur Account: The organization account assigned during Conjur appliance installation. If you are using a hosted Conjur instance for a proof of concept, the account is typically your email address.

  • Conjur Appliance URL: The URL of the Conjur appliance that you are connecting to.

  • Conjur Login: The fully-qualified ID of a Conjur Host.

    The Host must have create and update privileges on the dedicated Conjur policy for PCF that you enter in the PCF Conjur Policy Branch ID field. If you are not using a dedicated Conjur policy for PCF, this login Host must have create and update privileges on the Conjur root policy.

    This login is only used by the Service Broker to add and remove Hosts from Conjur policy as your applications are deployed to or removed from PCF.

    This entry should be of the form host/host-id, where host-id is the fully-qualified Conjur Host ID. The host/ prefix indicates to the Conjur authenticator that these credentials belong to a Host, and not a User.

  • Conjur API Key: The API key of the Conjur Host whose identity you provided in the Conjur Login field.

    If the Host’s API key changes, you need to update this field and click Apply Changes to continue using the Service Broker to bind applications. After binding, an application has its own credentials for connecting to the Conjur appliance.

    Note: The Conjur Host credentials configured here are available only to PCF admins. They are not generally accessible to users in PCF.

  • PCF Conjur Policy Branch ID: The fully-qualified Conjur Policy ID of the dedicated Conjur policy for PCF that you created. Leave blank to default to the root policy (not recommended).

  • Conjur Version: Defaults to 5. Select 4 for Enterprise Conjur. Select 5 for Open Source Conjur (including an evaluation Hosted Conjur).

  • Conjur Certificate: Required for Conjur Enterprise only. Copy and paste the contents of the .pem file that was created by the conjur init command when the Conjur appliance was configured. Be sure to include the Begin and End lines in the certificate.

    The .pem file is located in the root folder where Conjur was created. The file name is conjur-account.pem, where account is the account name provided for the Conjur instance.

Buildpack Setttings

Do not change the installed sequence. meta_buildpack must install first, and conjur_buildpack must install second.

Service Access

If Enable global access to plans of service Conjur is checked, the Conjur service is available to all PCF users, across all orgs and spaces.

To configure more precise access control, uncheck this option and use cf enable-service-access to specify which orgs and spaces can access the Conjur service.

Errands

The CyberArk Conjur Service Broker for PCF tile does not add any errands.

Resource Config

The default settings are appropriate.

Stemcell

The latest major stemcell release is required by CyberArk Conjur Service Broker for PCF.

If the Stemcell side tab has a green checkmark, you have the latest release and no action is required.

If the Stemcell side tab has an orange circle, install the requested stemcell.

Create a pull request or raise an issue on the source for this page in GitHub