Installing and Configuring CyberArk Conjur Service Broker for PCF
This topic describes how to install and configure CyberArk Conjur Service Broker for Pivotal Cloud Foundry (PCF).
Download the CyberArk Conjur Service Broker for PCF product file from Pivotal Network.
Navigate to the Ops Manager Installation Dashboard and click Import a Product to upload the product file.
Under the Import a Product button, click + next to the version number of CyberArk Conjur Service Broker for PCF. This adds the tile to your staging area.
Click the newly added CyberArk Conjur Service Broker for PCF tile.
Click the Settings tab.
Configure the side tabs. The tabs with orange circles require configuration. The others are optional.
Return to the Ops Manager Installation Dashboard and click Apply changes to apply the configuration changes and complete the installation of the CyberArk Conjur Service Broker for PCF tile.
cf marketplaceto verify availability of the community service named
Choose appropriate values to configure where to deploy CyberArk Conjur Service Broker for PCF.
This tab configures communication between the Service Broker and a Conjur appliance.
Conjur Account: The organization account assigned during Conjur appliance installation. If you are using the Try Conjur hosted Conjur instance for a proof of concept, the account is typically your email address.
Conjur Appliance URL: The URL of the Conjur appliance that you are connecting to. If you are using Try Conjur hosted Conjur, this is
Conjur Follower URL (Optional): If using high availability in Conjur EE, this should be the URL for a load balancer that manages the cluster’s Follower instances. This is the URL that applications that bind to the service broker will use to communicate with Conjur.
Conjur Login: The fully-qualified ID of a Conjur host for the service broker.
The Host must have
updateprivileges on the dedicated Conjur policy for PCF that you enter in the PCF Conjur Policy Branch ID field. If you are not using a dedicated Conjur policy for PCF, this login Host must have
updateprivileges on the Conjur root policy.
This login is only used by the Service Broker to add and remove Hosts from Conjur policy as your applications are deployed to or removed from PCF.
This entry should be of the form
host-idis the fully-qualified Conjur Host ID (e.g.
host/prefix indicates to the Conjur authenticator that these credentials belong to a Host, and not a User.
Conjur API Key: The API key of the Conjur Host whose identity you provided in the Conjur Login field.
If the Host’s API key changes, update this field and click Apply Changes to continue using the Service Broker to bind applications. After binding, an application has its own credentials for connecting to the Conjur appliance.
Note: The Conjur Host credentials configured here are available only to PCF admins. They are not generally accessible to users in PCF.
Conjur Version: Defaults to 5. Select 4 for Enterprise Conjur v4. Select 5 for Enterprise Conjur v5 or Open Source Conjur (including an evaluation Hosted Conjur).
PCF Conjur Policy Branch ID: The fully-qualified Conjur Policy ID of the dedicated Conjur policy for PCF that you created (e.g.
pcf/production). Leave blank to default to the root policy (not recommended).
Conjur Certificate: The PEM encoded x509 certificate chain for the Conjur server.
This certificate chain may be retrieved from the Conjur server using the command:
$ openssl s_client -showcerts -servername [CONJUR_DNS_NAME] \ -connect [CONJUR_DNS_NAME]:443 < /dev/null 2> /dev/null \ | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
The certificate value should include the
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Click Save after providing the configuration values.
The tile installs the Conjur Buildpack, which enables your applications to leverage Summon to automatically inject secrets. The default settings are appropriate.
If Enable global access to plans of service Conjur is checked, the Conjur service is available to all PCF users, across all orgs and spaces.
To configure more precise access control, uncheck this option and use
cf enable-service-access to specify which orgs and spaces can access the Conjur service.
The CyberArk Conjur Service Broker for PCF tile does not add any errands.
The default settings are appropriate.
After configuring the tile, finish the installation:
- Navigate to the Ops Manager Dashboard
- Click Review Pending Changes
- Click Apply Changes