Real world Vault-synchronizer delays and limits?

What kinds of delays are people seeing in the real world for the Conjur-Vault synchronizer? Are there any “guarantees” on maximum time?

Anyone tried lowering SYNC_INTERVAL_TIME from the default 300s?

We want to roll out rotation for nearly every secret, but it’s going to be really annoying if we have to tell internal users “it could take up to 5-10 minutes to get the new password synced”. Assuming password changes every 90 days, that’s a reduction in uptime to 99.995% (four and a half nines).

There’s dual accounts of course, but it’s annoying to create two copies of every secret and doubles the work needed. Plus it’s clunky in PVWA and requires some end user training.

We’re also curious if this might go up over time as we approach the per-LOB limit.


This community is pretty dead but I’ll include the response I got from CyberArk:
“We know of customers working with 1 minute interval but it depends on the number of accounts it should sync. The reason is that if the sync itself takes longer than the configured sync cycle, the Synchronizer won’t start a new sync until the current one is complete. We recommend working with Dual accounts so that secrets are available at all times.”

So it seems that CyberArk does not have any idea of the real world delays and limits, other than to try setting the sync interval lower.

Yeah, password change management is the second biggest challenge in secrets management after the secret-zero problem. In my demo environment I have the synchronizer interval set to 3 seconds, which works great to sync secrets to Conjur nearly instantaneously (from a human time perception anyway). But I only have a few safes with maybe a dozen accounts total. The more safes and accounts you have, the more upping the synchronizer frequency could start to really beat on the vault and affect performance of other components (PVWA, PSM, etc). I haven’t tried this, but you might look at running the synchronizer on its own host and pointing it at a DR or satellite vault to offload the synchronizer load from the main vault. Realize though that without dual accounts, you’ll always have potential race conditions where the password value in Conjur is not up to date with the vault. So it’s best if apps are written to re-retrieve the secret with an exponential backoff on authn failure, to allow for any unavoidable latencies between password changes and their syncing to Conjur.

1 Like