Does Secretless Broker need a cert for https connection to DAP?

Hello Everyone, We are integrating Secretless Broker with Conjur DAP, but the application fails to run. We can successfully integrate with Conjur Open Source so I was looking at the differences between DAP and Conjur Open Source. When we integrate a java application with DAP we need to setup a trust between the calling java app and Conjur by adding a conjur.der cert to the java cacert keystore. Do we need to provide secretless broker with the conjur.pem cert to connect with DAP? I don’t see in the CyberArk Dynamic Access Provider Secretless Broker Configuration webpage any mention of needing to provide secretless broker with any type of cert for a secure connection between DAP and secretless broker, but thought I would ask because I can’t figure out why my connection to DAP won’t work. Link to CyberArk Conjur OSS with secretless = link. Link to CyberArk Dynamic Access Provider with secretless = link. Link to CyberArk JAVA API setup Trust Between APP and Conjur = link.

1 Like

Hello again @LouisLouisLouL - I’m glad to see you back!

In our Using DAP guide we have a section on storing the DAP SSL cert in a configmap that might be useful to you - you can see in the app manifest toward the bottom of the page that the DAP SSL cert configmap is referenced when the CONJUR_SSL_CERTIFICATE environment variable is set in the Secretless container definition:

          - name: CONJUR_SSL_CERTIFICATE
            valueFrom:
              configMapKeyRef:
                key: ssl-certificate
                name: dap-ssl-cert

Please take a look at this resource, and let us know if you still have questions.

1 Like

Thank you for the reply izgerij. The examples in the instructions you suggested show how to leverage Kubernetes to create the container. I was able to figure out how to do this using Docker commands. Poking around in the Secretless Broker docker container I found a folder called certs. I created a container using the -v command and added my ssl cert inside this folder located in the container at /etc/ssl/certs/ and it worked.

example command:
docker run --env CONJUR_APPLIANCE_URL=https://[endpoint.to.DAP] --env CONJUR_ACCOUNT=[DAP account] --env CONJUR_AUTHN_API_KEY=[api-key] --env CONJUR_AUTHN_LOGIN=[host] -it -p 127.0.0.1:1433:1433 -v /host/secretless/yaml/file/location/secretless.yml:/secretless.yml -v /host/certs/location/conjur.pem:/etc/ssl/certs/conjur.pem cyberark/secretless-broker -debug

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.