Conjur dap-seedfetcher problem (OCP 4.6 Integration) Error 400 Bad Request

Secrets Management - Conjur, Secrets Hub & CP Conjur Enterprise
1

Hi,

I have problem when try to integrate with OCP 4.6 using DAP 12.1.1, so i set up docker for conjur-appliance using hostname same as hostname host. And all set up, and authentication from OCP to DAP all works good but when OCP try to fetch the seed file from https;// xxxxx/configuration/conjurcyberark/seed/follower it return 400 Bad Request.

From the dap-seedfetcher logs on OCP it said CAK035 Successfully authenticated and success connected to the conjur url. And after that return an errror like this:

HTTP request sent, awaiting response… 400 Bad Request
ERROR 400: Bad Request.

Hope you guys can help, thank you

2

Hi Chandra,
This looks like a CyberArk enterprise issue. Have you opened up a CyberArk support ticket yet? If not then that would definitely be a good way to go about this and get a quick response.

3

Hi Natalia,

I haven’t opened a CyberArk support ticket, but is it a CyberArk Enterprise issue? And do you know what causes error 400?

Thank you

4

Hi @chan_sgt , a 400 error like this indicates a problem with the request itself. If you like, please post the docker logs from instance running the authn-k8s webservice as well as the full log from the authenticator client. The follower manifest would be good to see as well.

Regards,
Nathan

5

Hi Nathan,

Here is from conjur log

<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="127"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00049D Resource restrictions were not found in annotations, extracting from host ID 'host/conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="128"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00040D Resource restrictions were extracted: '["namespace", "service-account"]'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="129"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00041D Validating resource restrictions configuration
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="130"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00042D Resource restrictions configuration validated
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="131"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00044D Validating resource restrictions on request
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="132"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00048D Validating resource restriction on request: 'namespace'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="133"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00048D Validating resource restriction on request: 'service-account'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="134"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00050D Validating K8s resource. Type:'service_account', Name: conjur-cluster
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="135"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00051D Validated K8s resource. Type:'service_account', Name: conjur-cluster
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="136"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00045D Resource restrictions matched request
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="137"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00030D Resource restrictions validated
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="138"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00027D Host id conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster extracted from CSR common name
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="139"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.2ms)  SELECT * FROM "resources" WHERE "resource_id" = 'conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="140"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "annotations" WHERE ("annotations"."resource_id" = 'conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster')
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="141"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00024D Retrieved value of annotation kubernetes/authentication-container-name
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="142"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "resources" WHERE "resource_id" = 'conjurcyberark:variable:conjur/authn-k8s/ocp/ca/cert'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="143"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "resources" WHERE "resource_id" = 'conjurcyberark:variable:conjur/authn-k8s/ocp/ca/key'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="144"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.2ms)  SELECT * FROM "secrets" WHERE ("secrets"."resource_id" = 'conjurcyberark:variable:conjur/authn-k8s/ocp/ca/cert') ORDER BY "version" DESC LIMIT 1
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="145"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "secrets" WHERE ("secrets"."resource_id" = 'conjurcyberark:variable:conjur/authn-k8s/ocp/ca/key') ORDER BY "version" DESC LIMIT 1
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="146"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "roles" WHERE ("role_id" = 'conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster') LIMIT 1
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="147"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.2ms)  SELECT * FROM "slosilo_keystore" WHERE "id" = 'authn:conjurcyberark'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="148"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.2ms)  COMMIT
<14>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="149"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] Completed 200 OK in 132ms (Views: 0.2ms)
<14>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="150"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397] Started GET "/resources/conjurcyberark/webservice/conjur/seed-generation/?check=true&privilege=execute" for 127.0.0.1 at 2021-05-18 08:34:01 +0000
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="151"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.2ms)  SELECT * FROM "slosilo_keystore" WHERE ("fingerprint" = 'b8b65d461ff3d98ecedbbc3824d976310c71e752b58aa75e9726e77d9c04ab7a') LIMIT 1
<14>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="152"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397] Processing by ResourcesController#check_permission as */*
<14>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="153"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Parameters: {"check"=>"true", "privilege"=>"execute", :controller=>"resources", :action=>"check_permission", :account=>"conjurcyberark", :kind=>"webservice", :identifier=>"conjur/seed-generation"}
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="154"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.1ms)  BEGIN
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="155"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.2ms)  SELECT * FROM "roles" WHERE "role_id" = 'conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="156"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "resources" WHERE "resource_id" = 'conjurcyberark:webservice:conjur/seed-generation'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="157"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.5ms)  SELECT is_resource_visible('conjurcyberark:webservice:conjur/seed-generation', 'conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster') LIMIT 1
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="158"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.8ms)  SELECT * FROM is_role_allowed_to('conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster', 'execute', 'conjurcyberark:webservice:conjur/seed-generation') LIMIT 1
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="159"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.1ms)  COMMIT
<14>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="160"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397] Completed 204 No Content in 3ms
<134>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a evoke-seed - - [meta sequenceId="161"] (IP_OCP) - - [18/May/2021:08:32:30 +0000] "POST /conjurcyberark/follower HTTP/1.1" 400 113 0.0137
<13>1 2021-05-18T08:34:01.872+00:00 54d41d48e24a nginx - - [meta sequenceId="162"] (IP_OCP) "-" "POST /authn-k8s/ocp/conjurcyberark/host%2Fconjur%2Fauthn-k8s%2Focp%2Fapps%2Fcyberark-conjur%2Fservice_account%2Fconjur-cluster/authenticate HTTP/1.1" 200 720 "-" "Go-http-client/1.1" 0.134 0.134
<13>1 2021-05-18T08:34:01.872+00:00 54d41d48e24a nginx - - [meta sequenceId="163"] (IP_OCP) "-" "POST /configuration/conjurcyberark/seed/follower HTTP/1.1" 400 113 "-" "Wget/1.21.1" 0.013 0.013
<86>1 2021-05-18T08:35:01.000+00:00 54d41d48e24a CRON 36418 - [meta sequenceId="1"] pam_unix(cron:session): session opened for user root by (uid=0)
<78>1 2021-05-18T08:35:01.000+00:00 54d41d48e24a CRON 36420 - [meta sequenceId="2"] (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
<86>1 2021-05-18T08:35:01.000+00:00 54d41d48e24a CRON 36418 - [meta sequenceId="3"] pam_unix(cron:session): session closed for user root
6

And here is from seed-fetcher log

image
image1282×530 121 KB

7

The problem is CONJUR_SEED_FILE_URL format is not same like alt_name in certificate.

example:
conjur.cyberark-demo.com in CONJUR_SEED_FILE_URL and in alt_name in certificate is CONJUR.cyberark-demo.com (it will output 400 Bad Request)

Solution:
edit CONJUR_SEED_FILE_URL from conjur.cyberark-demo.com to CONJUR.cyberark-demo.com

8

@chan_sgt , thank you for figuring this out, and my apologies for not responding. By chance, could you open a case for this containing your findings? This behavior is unexpected at best, and I feel we can and should improve the product to avoid this pain in the future. Feel free to drop my name in the case if you’d like. :slight_smile:

Regards,
Nate

9

Sure, how to open a case?

10

Hi @chan_sgt, the easiest way is to email support@cyberark.com.

Regards,
Nate

11

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.