Conjur dap-seedfetcher problem (OCP 4.6 Integration) Error 400 Bad Request

Hi,

I have problem when try to integrate with OCP 4.6 using DAP 12.1.1, so i set up docker for conjur-appliance using hostname same as hostname host. And all set up, and authentication from OCP to DAP all works good but when OCP try to fetch the seed file from https;// xxxxx/configuration/conjurcyberark/seed/follower it return 400 Bad Request.

From the dap-seedfetcher logs on OCP it said CAK035 Successfully authenticated and success connected to the conjur url. And after that return an errror like this:

HTTP request sent, awaiting response… 400 Bad Request
ERROR 400: Bad Request.

Hope you guys can help, thank you

Hi Chandra,
This looks like a CyberArk enterprise issue. Have you opened up a CyberArk support ticket yet? If not then that would definitely be a good way to go about this and get a quick response.

Hi Natalia,

I haven’t opened a CyberArk support ticket, but is it a CyberArk Enterprise issue? And do you know what causes error 400?

Thank you

Hi @chan_sgt , a 400 error like this indicates a problem with the request itself. If you like, please post the docker logs from instance running the authn-k8s webservice as well as the full log from the authenticator client. The follower manifest would be good to see as well.

Regards,
Nathan

Hi Nathan,

Here is from conjur log

<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="127"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00049D Resource restrictions were not found in annotations, extracting from host ID 'host/conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="128"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00040D Resource restrictions were extracted: '["namespace", "service-account"]'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="129"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00041D Validating resource restrictions configuration
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="130"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00042D Resource restrictions configuration validated
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="131"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00044D Validating resource restrictions on request
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="132"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00048D Validating resource restriction on request: 'namespace'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="133"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00048D Validating resource restriction on request: 'service-account'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="134"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00050D Validating K8s resource. Type:'service_account', Name: conjur-cluster
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="135"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00051D Validated K8s resource. Type:'service_account', Name: conjur-cluster
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="136"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00045D Resource restrictions matched request
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="137"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00030D Resource restrictions validated
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="138"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00027D Host id conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster extracted from CSR common name
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="139"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.2ms)  SELECT * FROM "resources" WHERE "resource_id" = 'conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="140"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "annotations" WHERE ("annotations"."resource_id" = 'conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster')
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="141"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] CONJ00024D Retrieved value of annotation kubernetes/authentication-container-name
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="142"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "resources" WHERE "resource_id" = 'conjurcyberark:variable:conjur/authn-k8s/ocp/ca/cert'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="143"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "resources" WHERE "resource_id" = 'conjurcyberark:variable:conjur/authn-k8s/ocp/ca/key'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="144"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.2ms)  SELECT * FROM "secrets" WHERE ("secrets"."resource_id" = 'conjurcyberark:variable:conjur/authn-k8s/ocp/ca/cert') ORDER BY "version" DESC LIMIT 1
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="145"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "secrets" WHERE ("secrets"."resource_id" = 'conjurcyberark:variable:conjur/authn-k8s/ocp/ca/key') ORDER BY "version" DESC LIMIT 1
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="146"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "roles" WHERE ("role_id" = 'conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster') LIMIT 1
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="147"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.2ms)  SELECT * FROM "slosilo_keystore" WHERE "id" = 'authn:conjurcyberark'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="148"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397]   Sequel::Postgres::Database (0.2ms)  COMMIT
<14>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="149"] [origin=(IP_OCP)] [request_id=7f1013c4-78a0-46bc-93a7-227c752e302d] [tid=36397] Completed 200 OK in 132ms (Views: 0.2ms)
<14>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="150"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397] Started GET "/resources/conjurcyberark/webservice/conjur/seed-generation/?check=true&privilege=execute" for 127.0.0.1 at 2021-05-18 08:34:01 +0000
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="151"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.2ms)  SELECT * FROM "slosilo_keystore" WHERE ("fingerprint" = 'b8b65d461ff3d98ecedbbc3824d976310c71e752b58aa75e9726e77d9c04ab7a') LIMIT 1
<14>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="152"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397] Processing by ResourcesController#check_permission as */*
<14>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="153"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Parameters: {"check"=>"true", "privilege"=>"execute", :controller=>"resources", :action=>"check_permission", :account=>"conjurcyberark", :kind=>"webservice", :identifier=>"conjur/seed-generation"}
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="154"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.1ms)  BEGIN
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="155"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.2ms)  SELECT * FROM "roles" WHERE "role_id" = 'conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="156"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.1ms)  SELECT * FROM "resources" WHERE "resource_id" = 'conjurcyberark:webservice:conjur/seed-generation'
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="157"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.5ms)  SELECT is_resource_visible('conjurcyberark:webservice:conjur/seed-generation', 'conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster') LIMIT 1
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="158"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.8ms)  SELECT * FROM is_role_allowed_to('conjurcyberark:host:conjur/authn-k8s/ocp/apps/cyberark-conjur/service_account/conjur-cluster', 'execute', 'conjurcyberark:webservice:conjur/seed-generation') LIMIT 1
<15>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="159"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397]   Sequel::Postgres::Database (0.1ms)  COMMIT
<14>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a conjur-possum 33647 - [meta sequenceId="160"] [origin=127.0.0.1] [request_id=d6361df1-2db4-43cc-96af-9490fc120bac] [tid=36397] Completed 204 No Content in 3ms
<134>1 2021-05-18T08:34:01.000+00:00 54d41d48e24a evoke-seed - - [meta sequenceId="161"] (IP_OCP) - - [18/May/2021:08:32:30 +0000] "POST /conjurcyberark/follower HTTP/1.1" 400 113 0.0137
<13>1 2021-05-18T08:34:01.872+00:00 54d41d48e24a nginx - - [meta sequenceId="162"] (IP_OCP) "-" "POST /authn-k8s/ocp/conjurcyberark/host%2Fconjur%2Fauthn-k8s%2Focp%2Fapps%2Fcyberark-conjur%2Fservice_account%2Fconjur-cluster/authenticate HTTP/1.1" 200 720 "-" "Go-http-client/1.1" 0.134 0.134
<13>1 2021-05-18T08:34:01.872+00:00 54d41d48e24a nginx - - [meta sequenceId="163"] (IP_OCP) "-" "POST /configuration/conjurcyberark/seed/follower HTTP/1.1" 400 113 "-" "Wget/1.21.1" 0.013 0.013
<86>1 2021-05-18T08:35:01.000+00:00 54d41d48e24a CRON 36418 - [meta sequenceId="1"] pam_unix(cron:session): session opened for user root by (uid=0)
<78>1 2021-05-18T08:35:01.000+00:00 54d41d48e24a CRON 36420 - [meta sequenceId="2"] (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
<86>1 2021-05-18T08:35:01.000+00:00 54d41d48e24a CRON 36418 - [meta sequenceId="3"] pam_unix(cron:session): session closed for user root

And here is from seed-fetcher log

The problem is CONJUR_SEED_FILE_URL format is not same like alt_name in certificate.

example:
conjur.cyberark-demo.com in CONJUR_SEED_FILE_URL and in alt_name in certificate is CONJUR.cyberark-demo.com (it will output 400 Bad Request)

Solution:
edit CONJUR_SEED_FILE_URL from conjur.cyberark-demo.com to CONJUR.cyberark-demo.com