Conjur Java API Usage Example

The Conjur Java API is a powerful tool for integrating Conjur into your Java projects. Here’s a small example I put together to demonstrate it locally.

1. Set Up Conjur Server

First, you need to set up a local Conjur OSS server. You can either set the server up manually by following to Conjur Quick Start Tutorial, or you can use the repo I made for quickly setting up Conjur instances for projects like this HERE and run ./setup.sh.

Next, give the variable we defined a secret:

docker-compose exec client conjur authn login -u admin -p <admin_API_KEY>
docker-compose exec client conjur variable values add test/secret secretValue

<admin_API_KEY>: Stored in admin_data

Note: This repo is a really rough script I use with a lot of room for improvement. Feel free to use it as just a guide if you want. The main reason I use this repo is to grab the cert from the Conjur server automatically for testing locally

2. Add Cert to Java Keystore

Next, we need to add our cert to our Java keystore.

First, find your JRE_HOME directory and set it as an environment variable if it’s not already set.

export JRE_HOME=<path_to_JRE_home>

Following the docs we convert the cert from .pem to .der.

openssl x509 -outform der -in conjure-myConjurAccount.pem -out conjur-myConjurAccount.der

Finally, we add the cert to our Java Keystore:

sudo -E keytool -importcert \
    -alias conjur-myConjurAccount \
    -keystore "$JRE_HOME/lib/security/cacerts" \
    -storepass changeit \
    -file ./conjur-myConjurAccount.der

3. Set Env Variables

export CONJUR_ACCOUNT: myConjurAccount
export CONJUR_AUTHN_LOGIN: host/test/myApp
export CONJUR_AUTHN_API_KEY: <myApp_API_KEY>
export CONJUR_APPLIANCE_URL: https://127.0.0.1:8443
export CONJUR_SECOND_USER: admin
export CONJUR_SECOND_API_KEY: <admin_API_KEY>

<myApp_API_KEY>: Stored in user_data
<admin_API_KEY>: Stored in admin_data

4. Setup Java App

On my machine, Eclipse cannot access the env variables unless it’s launched from the same Terminal that set them. This will probably be different on your machine. To launch Eclipse I use:

open /Applications/Eclipse.app

Finally, we can set up our Java app. Make sure to follow the Setup instructions to incorporate the Conjur Java API into your project. Both the Maven and JAR File setup will work for this example.

Here is the quick Java app I wrote for this example. The app:

  1. retrieves the secret as myApp
  2. logins into a user with write privileges(admin)
  3. changes the secret value
  4. retrieves the new secret value as myApp

main.java

import com.cyberark.conjur.api.Conjur;

public class main {
	static String variableID = "test/secret",
			originalSecret = "secretValue",
			newSecret = "ChangedByJavaAPI";
	
	public static void main(String[] args) {	
		String conjurAccount = System.getenv("CONJUR_ACCOUNT");
		String userLogin = System.getenv("CONJUR_AUTHN_LOGIN");
		String userAPIKey = System.getenv("CONJUR_AUTHN_API_KEY");
		String applianceURL = System.getenv("CONJUR_APPLIANCE_URL");
		String secondUser = System.getenv("CONJUR_SECOND_USER");
		String secondUserAPIKey = System.getenv("CONJUR_SECOND_API_KEY");
		
		// Login to user
		System.out.println("Logging into user: "+ userLogin);
		Conjur conjur = new Conjur();
		printLine();
		
		// Get secret as user
		System.out.println("Retrieving secret as: " + userLogin);
		String secret = conjur.variables().retrieveSecret(variableID);
		System.out.println(variableID + ": " + secret);
		printLine();
		
		// Log into account with write privileges
		System.out.println("Logging into user: " + secondUser);
		Conjur adminUser = new Conjur(secondUser, secondUserAPIKey);
		//System.out.println(adminUser.variables().toString());
		
		// Change variable value
		System.out.println("Setting '" + variableID + "' to: " + newSecret);
		adminUser.variables().addSecret(variableID, newSecret);
		printLine();
		
		// Retrieve new value
		System.out.println("Retrieving secret again as: " + userLogin);
		secret = conjur.variables().retrieveSecret(variableID);
		System.out.println(variableID + ": " + secret);
		
		reset(adminUser);
	}
	
	private static void reset(Conjur conjur) {
		conjur.variables().addSecret(variableID, originalSecret);
		
	}
	
	private static void printLine() {
		System.out.println("-----------------------");
	}

}

Note: The import may be different depending on whether you used Maven or the JAR File. This example uses Maven. For the JAR File it will be:

import net.conjur.api.Conjur;

Add this file to your Java project you created.

4. Run

You should now be able to run this and watch the Conjur Java API do it’s thang!

If you have any questions feel free to ask, thanks for reading!

3 Likes