CyberArk Vault-Synchronizer Service Restart increments Conjur Secret Versions

Hi All,

Hope all are doing good.

Just wanted to get some insights on why this is happening.
Conjur Secret versioning is critical to our use-case and it seems the synchronizer service restart initiates a full sync[Refresh LOB Task as seen in Account Activities] and it overrides the secret in conjur and increments the version by +1.

This shoudn’t happen as the secret has not changed in CyberArk Vault. This skews the secret versioning.

Thoughts?

@AndrewCopeland @joe.garcia @CaptainFluffyToes @nathan.whipple @kumbirai

I would recommend two things in this case (with a minimum of at least #1):

  1. Create an Enhancement Request through our Technical Community Portal to have this behavior corrected if the community comes to a consensus. This is not a bug, so opening a Support Case would go nowhere.
  2. Starting from v12.3 and above, enable SyncDelete on the Synchronizer config. This will enable the ability for the synchronizer service to remove secrets from Conjur when they are no longer present in EPV or the LOB_User account is removed as a safe member. After enabling that, remove all LOB_Users from safes being synchronized, wait for all secrets to be removed from Conjur, then re-add the LOB_Users to the safes. This will reset the version count in Conjur to be accurate according to your desired behavior of the Synchronizer service.

I should also note that delegation/consumers groups will be recreated and members will need to be re-added. However, if this was done via policy and that policy was checked into SCM, it shouldn’t be an issue.

Thanks @joe.garcia for the suggestions. Will look into it.