Use Conjur for agentless connections

Organization of your Conjur secrets

To configure an agentless connection using Conjur secrets, the username and secret (password or key) must both be stored in Conjur. Their location in the Conjur policy is up to the Conjur administrator.

Configure a Conjur host for Cyberwatch

With Conjur, service users for API access are called hosts. We recommend that you create a host dedicated to Cyberwatch and give it read-only access to only the secrets it needs.

If your infrastructure is segmented, you may create one host per segment, each with restricted permissions, and register each host individually.

To add your Conjur host credentials to Cyberwatch, go to menu Stored credentials, then add a credentials set of type CyberArk Conjur:

  • The Conjur account is usually named after your organization, or may be the name of a specific secrets safe. The account must contain the secrets you wish to access and the Conjur host Cyberwatch will authenticate as.

  • The host ID is the path from the root policy to the host resource Cyberwatch will use, prefixed by host/.

  • The API key is a random passphrase generated when the Conjur host is created.

For more details about host creation in Conjur, see the Conjur official tutorial Enrolling an application.

Create an agentless connection with Conjur

  1. In section Assets, go to Assets management > Agentless connections.
  2. Click Add.
  3. In “Access protocol”, select SSH or WinRM.
  4. Select as Credentials your Conjur host configured above.
  5. Specify the paths to the required variables, according to the structure of your policy.

Back to top