Seem to be discovering new ways to blow up our test Conjur/DAP cluster.
So, seem to have managed to introduce some zombie policy group/user elements in the DAP DB. Query for them, and they can’t be found. Try to re-load them, and can’t because they already exist.
I’d just start from scratch, but would prefer not to have to rebuild the Synchronizer as well. Is there any way to save those keys and certs? Or some way to clear them from the pgsql db?
I’d be curious to figure out how to reproduce this zombie state your in. That aside, the only way I’m aware of to completely clear the DB is to re-deploy the master. If you did this, and ensured you kept the org account the same, you can then load the top level synchronizer policy and avoid re-installing the sync service. This will create a new sync host API key, but provided the names are kept unchanged then the only thing you’ll need to update is the password value of the sync host password object you created in the ConjurSync safe. To recap:
Provided the following is true:
The certificates on the master are kept the same
The Org Account is kept the same
The VCS integration name is kept the same
The sync host name is kept the same
Then you can load the base synchronizer policy and only need to update the password of the sync host object in ConjurSync with the new API key (Change Password > Only in Vault > set new password value to equal API key for sync host)
Base synchronizer policy is below. VCS_HOSTNAME is typically the NETBIOS name of the host the synchronizer is installed on. INTEGRATION_NAME is the name chosen for the integration when you originally ran the installation. :