Any way to reset DAP DB without losing the CyberArk Synchronizer creds?

archerbj · June 16, 2020, 8:42pm

Seem to be discovering new ways to blow up our test Conjur/DAP cluster.

So, seem to have managed to introduce some zombie policy group/user elements in the DAP DB. Query for them, and they can’t be found. Try to re-load them, and can’t because they already exist.

I’d just start from scratch, but would prefer not to have to rebuild the Synchronizer as well. Is there any way to save those keys and certs? Or some way to clear them from the pgsql db?

nathan.whipple · June 16, 2020, 8:55pm

Hi Barry,

I’d be curious to figure out how to reproduce this zombie state your in. That aside, the only way I’m aware of to completely clear the DB is to re-deploy the master. If you did this, and ensured you kept the org account the same, you can then load the top level synchronizer policy and avoid re-installing the sync service. This will create a new sync host API key, but provided the names are kept unchanged then the only thing you’ll need to update is the password value of the sync host password object you created in the ConjurSync safe. To recap:

Provided the following is true:
The certificates on the master are kept the same
The Org Account is kept the same
The VCS integration name is kept the same
The sync host name is kept the same

Then you can load the base synchronizer policy and only need to update the password of the sync host object in ConjurSync with the new API key (Change Password > Only in Vault > set new password value to equal API key for sync host)

Base synchronizer policy is below. VCS_HOSTNAME is typically the NETBIOS name of the host the synchronizer is installed on. INTEGRATION_NAME is the name chosen for the integration when you originally ran the installation. :

#======================
# Synchronizer Policy
#======================
- !group $INTEGRATION_NAME-admins
- !host Sync_$VCS_HOSTNAME
- !grant
  role: !group $INTEGRATION_NAME-admins
  members: !host Sync_$VCS_HOSTNAME
- !policy
  id: $INTEGRATION_NAME
  owner: !group $INTEGRATION_NAME-admins

Regards,
Nathan

archerbj · June 16, 2020, 9:20pm

Aha. That makes sense. And have the $INTEGRATION_NAME and Sync_$VCS_HOSTNAME

So we should be able to do that.

Thanks!

(Also, I’ll see if I can get you the zombie state somehow.)

archerbj · June 18, 2020, 5:51pm

Nathan,

Worked like a charm.

Thanks!

Barry

Topic		Replies	Views
Removing a LOB access to a Vault safe (Enterprise DAP) Conjur Enterprise	5	719	June 15, 2020
CyberArk Vault-Synchronizer Service Restart increments Conjur Secret Versions Conjur Enterprise conjur	3	546	January 25, 2022
Vault Synchronizer with HA Topology Conjur Enterprise conjur	3	515	October 13, 2021
Error when Syncing secrets from CyberArk Vault to DAP Conjur Enterprise	6	1085	February 9, 2022
Failed to initialize Conjur client... (401) Unauthorized Conjur Enterprise	3	1166	February 13, 2020

Any way to reset DAP DB without losing the CyberArk Synchronizer creds?

Related Topics