Introduction

CyberArk Conjur offers secrets management for applications and services. There are four different deployment models. The model tested in this Integration Guide is the Dynamic Access Provider (DAP). For more information, see Conjur Secrets Manager Enterprise features in the CyberArk Conjur online documentation.

The base product is provided as a containerized appliance and can be executed in Docker or Kubernetes. The testing in this Integration Guide uses a basic deployment of nCOP in Docker.

Container images

Two container images were created for the purpose of this integration: a hardserver container and a CyberArk Conjur application container. These images are stored in an external registry:

  • nshield-hwsp

    A hardserver container image that controls communication between the HSM(s) and the application containers.

  • conjur-appliance

    An Application Access Manager (AAM) container image from CyberArk that will host the Master DAP Server.

Product configurations

Entrust has successfully tested nShield HSM integration with CyberArk Conjur in the following configurations:

Software Version

nCOP

1.1.2

Operating System

Ubuntu 22.04 LTS

CyberArk Conjur Appliance Image

12.3.0, 12.7.0, 13.2.0

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software Firmware Image OCS Softcard Module

12.71.0

12.50.11 (FIPS 140-2 certified)

12.60.10

12.80.4

12.50.11 (FIPS 140-2 certified)

12.80.4

12.80.4

12.72.1 (FIPS 140-2 certified)

12.80.5

13.4.5

12.72.1 (FIPS 140-2 certified)

12.80.5

nShield 5c

Security World Software Firmware Image OCS Softcard Module

13.4.5

13.2.2

13.3.2

Supported nShield HSM functionality

Feature Support

Module-only key

Yes

OCS cards

Yes

Softcards

Yes

nSaaS

Yes

FIPS 140 Level 3 mode support

Yes

Requirements

Before installing these products, read the associated documentation:

  • For the nShield HSM: Installation Guide and User Guide.

  • If nShield Remote Administration is to be used: nShield Remote Administration User Guide.

  • nShield Container Option Pack User Guide.

  • DAP Deployment, refer to Conjur Secrets Manager Enterprise v13.2 in the CyberArk online documentation.

  • HSM Master Key Encryption, refer to Encrypt the master key using an HSM in the CyberArk online documentation.

Furthermore, the following design decisions have an impact on how the HSM is installed and configured:

  • Whether your Security World must comply with FIPS 140 Level 3 standards.

    If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.

  • Whether to instantiate the Security World as recoverable or not.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

More information

For more information about OS support, contact your CyberArk sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.