-
Notifications
You must be signed in to change notification settings - Fork 6
/
installing.html.md.erb
169 lines (124 loc) · 8.3 KB
/
installing.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
---
title: Installing and Configuring CyberArk Conjur Service Broker for VMware Tanzu
owner: Partners
---
This topic describes how to install and configure CyberArk Conjur Service Broker for VMware Tanzu.
## <a id='install'></a>Install and Configure CyberArk Conjur Service Broker for VMware Tanzu
1. Download the CyberArk Conjur Service Broker for VMware Tanzu product file from <a href = "https://network.pivotal.io/products/cyberark-conjur/">Pivotal Network</a>.
1. Navigate to the Ops Manager Installation Dashboard and click **Import a Product** to upload the product file.
1. Under the **Import a Product** button, click **+** next to the version number of CyberArk Conjur Service Broker for VMware Tanzu.
This adds the tile to your staging area.
1. Click the newly added **CyberArk Conjur Service Broker for VMware Tanzu** tile.
1. Click the **Settings** tab.
1. Configure the side tabs. The tabs with orange circles require configuration. The others are optional.
* [Assign AZs and Networks](#assign-az)
* [Service Broker Configuration](#config-service-broker)
* [Service Access](#config-service-access)
1. Click **Save**.
1. Return to the Ops Manager Installation Dashboard and click **Apply changes** to apply the configuration changes and complete the installation of the CyberArk Conjur Service Broker for VMware Tanzu tile.
1. Use `cf marketplace` to verify availability of the community service named `cyberark-conjur`.
### <a id='assign-az'></a>Assign AZs and Networks
Choose appropriate values to configure where to deploy CyberArk Conjur Service Broker for VMware Tanzu.
### <a id='config-service-broker'></a>Service Broker Configuration
This tab configures communication between the Service Broker and a Conjur appliance.
![Conjur Service Broker Configuration tab](tile_config_screen.png)
* **Conjur Account**:
The organization account assigned during Conjur appliance installation. If
you are using the [**Try Conjur**](https://www.conjur.org/get-started/try-conjur.html) hosted Conjur instance for a proof of concept, the account is
typically your email address.
* **Conjur Appliance URL**:
The URL of the Conjur appliance that you are connecting to. If you
are using [**Try Conjur**](https://www.conjur.org/get-started/try-conjur.html) hosted Conjur,
this is `https://eval.conjur.org`.
* **Conjur Follower URL (Optional)**:
If using high availability in Conjur EE, this should be the URL
for a load balancer that manages the cluster's Follower instances. This is the URL that
applications that bind to the service broker will use to communicate with Conjur.
* **Conjur Login**:
The fully-qualified ID of a Conjur host for the service broker.
<br/><br/>
The Host must have `create` and `update` privileges on the dedicated Conjur policy for VMware Tanzu that you enter in the **VMware Tanzu Conjur Policy Branch ID** field. If you are not using a dedicated Conjur policy for VMware Tanzu, this login Host must have `create` and `update` privileges on the Conjur root policy.
<br/><br/>
This login is only used by the Service Broker to add and remove Hosts from Conjur policy as your applications are deployed to or removed from VMware Tanzu.
<br/><br/>
This entry should be of the form `host/host-id`, where `host-id` is the fully-qualified Conjur Host ID (e.g. `host/pcf-service-broker`). The `host/` prefix indicates to the Conjur authenticator that these credentials belong to a Host, and not a User.
* **Conjur API Key**:
The API key of the Conjur Host whose identity you provided in the **Conjur Login** field.
<br/><br/>
If the Host's API key changes, update this field and click **Apply Changes** to continue using the Service Broker to bind applications. After binding, an application has its own credentials for connecting to the Conjur appliance.
<br/><br/>
<p class='note'><strong>Note:</strong> The Conjur Host credentials configured here are available only to VMware Tanzu admins. They are not generally accessible to users in VMware Tanzu.</p>
* **Conjur Version**:
Defaults to 5. Select 4 for Enterprise Conjur v4. Select 5 for Enterprise Conjur v5 or Open Source Conjur (including an evaluation Hosted Conjur).
* **VMware Tanzu Conjur Policy Branch ID**:
The fully-qualified Conjur Policy ID of the dedicated Conjur policy for VMware Tanzu that you created (e.g. `pcf/production`). Leave blank to default to the root policy (not recommended).
* <a name="space-scoped-identity"></a> **Enable Spaced-scoped App Identities**
When an application is bound to the Conjur service, it receives an identity in Conjur
and credentials to authenticate to Conjur.
<br/><br/>
Configure the service broker to either create a single Conjur identity shared by
all applications in a space, or to create a Conjur identity for each application
individually.
<br/><br/>
In VMware Tanzu version 2.0+, when the service broker creates the space or app identity, it
automatically adds it to Conjur Layers representing the `Organization`
and `Space` where the application is deployed. Use these layers to control secret
access at the org or space level, instead of the application host itself.
<br/><br/>
**Space-scoped Identity**
<br/>
If **Enable Spaced-scoped App Identities** option is selected, when a service instance is
created in a space, the service broker creates a space-wide Conjur Host. When an application
is bound to the service, the service broker gives it the credentials of the space identity,
rather than create a new host identity for each application.
<br/><br/>
The advantage to this approach is that the bind operation only requires access to a Conjur follower and
not the Conjur master. This promotes high-availability and scalability of app binding and secret
retrieval.
<br/><br/>
If you use space host identities, only use the org and space layers to permit
access to secrets. More information on this is available [in the Using guide.](using.html#permit-org-space)
<br/><br/>
**Application-scoped Identity**
<br/>
If **Enable Spaced-scoped App Identities** option is not selected, the service broker creates a new
Conjur host identity for each application bound to the service requiring the service
broker to communicate with the Conjur master for each bind request.
<br/><br/>
The advantage to this approach is finer-grained access control and audit logs in Conjur.
<br/><br/>
Application host identities may be permitted to access secrets at the [org and space level](using.html#permit-org-space)
or at the [individual application level.](using.html#entitle-application)
* **Conjur Certificate**:
The PEM encoded x509 certificate chain for the Conjur server.
<br/><br/>
This certificate chain may be retrieved from the Conjur server using the command:
```
$ openssl s_client -showcerts -servername [CONJUR_DNS_NAME] \
-connect [CONJUR_DNS_NAME]:443 < /dev/null 2> /dev/null \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
```
The certificate value should include the `BEGIN CERTIFICATE` and `END CERTIFICATE` lines:
```
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
```
Click **Save** after providing the configuration values.
### <a id='config-buildpack'></a>Buildpack Setttings
The tile installs the Conjur Buildpack, which enables your applications to leverage Summon to automatically inject secrets. The default settings are appropriate.
### <a id='config-service-access'></a>Service Access
If **Enable global access to plans of service Conjur** is checked, the Conjur service is available to all VMware Tanzu users, across all orgs and spaces.
To configure more precise access control, uncheck this option and use `cf enable-service-access` to specify which orgs and spaces can access the Conjur service.
### <a id='config-errands'></a>Errands
The CyberArk Conjur Service Broker for VMware Tanzu tile does not add any errands.
### <a id='config-resources'></a>Resource Config
The default settings are appropriate.
### Apply Changes
After configuring the tile, finish the installation:
* Navigate to the Ops Manager Dashboard
* Click **Review Pending Changes**
* Click **Apply Changes**