Installing and Configuring CyberArk Conjur Service Broker for PCF
This topic describes how to install and configure CyberArk Conjur Service Broker for Pivotal Cloud Foundry (PCF).
Download the CyberArk Conjur Service Broker for PCF product file from Pivotal Network.
Navigate to the Ops Manager Installation Dashboard and click Import a Product to upload the product file.
Under the Import a Product button, click + next to the version number of CyberArk Conjur Service Broker for PCF. This adds the tile to your staging area.
Click the newly added CyberArk Conjur Service Broker for PCF tile.
Click the Settings tab.
Configure the side tabs. The tabs with orange circles require configuration. The others are optional.
Return to the Ops Manager Installation Dashboard and click Apply changes to apply the configuration changes and complete the installation of the CyberArk Conjur Service Broker for PCF tile.
cf marketplaceto verify availability of the community service named
Choose appropriate values to configure where to deploy CyberArk Conjur Service Broker for PCF.
This tab configures communication between the Service Broker and a Conjur appliance.
Conjur Account: The organization account assigned during Conjur appliance installation. If you are using a hosted Conjur instance for a proof of concept, the account is typically your email address.
Conjur Appliance URL: The URL of the Conjur appliance that you are connecting to.
Conjur Login: The fully-qualified ID of a Conjur Host.
The Host must have
updateprivileges on the dedicated Conjur policy for PCF that you enter in the PCF Conjur Policy Branch ID field. If you are not using a dedicated Conjur policy for PCF, this login Host must have
updateprivileges on the Conjur root policy.
This login is only used by the Service Broker to add and remove Hosts from Conjur policy as your applications are deployed to or removed from PCF.
This entry should be of the form
host-idis the fully-qualified Conjur Host ID. The
host/prefix indicates to the Conjur authenticator that these credentials belong to a Host, and not a User.
Conjur API Key: The API key of the Conjur Host whose identity you provided in the Conjur Login field.
If the Host’s API key changes, you need to update this field and click Apply Changes to continue using the Service Broker to bind applications. After binding, an application has its own credentials for connecting to the Conjur appliance.
Note: The Conjur Host credentials configured here are available only to PCF admins. They are not generally accessible to users in PCF.
PCF Conjur Policy Branch ID: The fully-qualified Conjur Policy ID of the dedicated Conjur policy for PCF that you created. Leave blank to default to the root policy (not recommended).
Conjur Version: Defaults to 5. Select 4 for Enterprise Conjur. Select 5 for Open Source Conjur (including an evaluation Hosted Conjur).
Conjur Certificate: Required for Conjur Enterprise only. Copy and paste the contents of the .pem file that was created by the
conjur initcommand when the Conjur appliance was configured. Be sure to include the Begin and End lines in the certificate.
The .pem file is located in the root folder where Conjur was created. The file name is
conjur-account.pem, where account is the account name provided for the Conjur instance.
Do not change the installed sequence.
meta_buildpack must install first, and
conjur_buildpack must install second.
If Enable global access to plans of service Conjur is checked, the Conjur service is available to all PCF users, across all orgs and spaces.
To configure more precise access control, uncheck this option and use
cf enable-service-access to specify which orgs and spaces can access the Conjur service.
The CyberArk Conjur Service Broker for PCF tile does not add any errands.
The default settings are appropriate.
The latest major stemcell release is required by CyberArk Conjur Service Broker for PCF.
If the Stemcell side tab has a green checkmark, you have the latest release and no action is required.
If the Stemcell side tab has an orange circle, install the requested stemcell.