SECRET-SEN Practice Exam Questions with Answers CyberArk Sentry Secrets Manager Certification

In the event of a Leader failure, you can perform a manual failover to promote one of the Standbys to be the new Leader. The manual failover process consists of the following steps:

• Suspend replication for all Standbys and Followers and identify the best failover candidate. This step ensures that no data is lost or corrupted during the failover process. The best failover candidate is the Standby with the most advanced replication timeline, which means it has the most up-to-date data from the Leader.
• Promote the failover candidate to be the new Leader. This step changes the role of the failover candidate from a Standby to a Leader, and updates its configuration accordingly. The new Leader can now accept write requests from clients and replicate data to other nodes.
• Restore replication. This step re-establishes the replication connections between the new Leader and the other nodes, and rebases the replication of the other Standbys and Followers to the new Leader. This ensures that all nodes have the same data and are in sync with the new Leader.

References: The manual failover configuration steps are explained in detail in the Configure Manual Failover section of the CyberArk Conjur Enterprise documentation. The image in the question is taken from the same source.

The correct process to upgrade the CCP Web Service is D. Uninstall and reinstall the CCP Web Service. The CCP Web Service is a component of the CyberArk Central Credential Provider (CCP) that enables applications to retrieve secrets from the CyberArk Vault using REST API calls. To upgrade the CCP Web Service, you need to first uninstall the existing CCP Web Service from the Windows Server Manager or the Control Panel, and then reinstall the CCP Web Service using the latest installation package from the CyberArk website. The installation package contains both the Credential Provider and the CCP Web Service components, and you need to run the AimWebService.msi file to install the CCP Web Service. You also need to make sure that the CCP Web Service has the correct configuration and permissions, and that the CyberArk CRL (Certificate Revocation List) is open from the CCP server.

The other options are not correct processes to upgrade the CCP Web Service. Running “sudo yum update aimprv” from the CLI is a command to update the Credential Provider on Linux, not the CCP Web Service on Windows. Double-clicking the Credential Provider installer executable and selecting upgrade is a process to upgrade the Credential Provider on Windows, not the CCP Web Service. Double-clicking the AimWebService.msi and selecting upgrade is not a valid option, as the CCP Web Service does not support an upgrade option, and you need to uninstall it first before reinstalling it. References =

• Upgrade the Central Credential Provider (CCP) - CyberArk, Section “Upgrade the Central Credential Provider (CCP)”
• Central Credential Provider web service configuration - CyberArk, Section “Central Credential Provider web service configuration”

This is the correct answer because the Vault.ini file on the CP machine contains the configuration settings for the CP to connect to the Vault server. The Address parameter specifies the IP address or hostname of the Vault server that the CP will use to communicate with the Vault. In the event of a failover of the Vault server from the primary to the DR, the CP needs to update the Address parameter with the IP address of the DR Vault server in order to continue being able to refresh its cache. The cache is a local storage of credentials that the CP retrieves from the Vault and provides to the applications. The cache is refreshed periodically based on the RefreshInterval parameter in the Vault.ini file. This answer is based on the CyberArk Secrets Manager documentation1 and the CyberArk Secrets Manager training course2.

The other options are not correct because they do not ensure that the CP will continue being able to refresh its cache in the event of a failover of the Vault server from the primary to the DR. Adding the DR Vault IP address to the Address parameter in the main_appprovider.conf.. file in the AppProviderConf safe is not a valid option, as this file does not contain the Address parameter. The main_appprovider.conf file contains the configuration settings for the basic provider, such as the AppProviderVaultParmsFile, the AppProviderPort, and the AppProviderCacheMode. The Address parameter is only found in the Vault.ini file on the CP machine.

In the Password Vault Web Access (PVWA) UI, adding the IP address of the DR Vault in the Disaster Recovery section under Applications > Options is not a valid option, as this section does not exist in the PVWA UI. The PVWA UI does not have a Disaster Recovery section under Applications > Options. The PVWA UI has a Disaster Recovery section under Administration > Options, but this section is used to configure the DR Vault settings, such as the DR Vault IP address, the DR Vault user, and the DR Vault password. These settings are not related to the CP configuration or cache refresh.

In the Conjur UI, adding the IP address of the DR Vault in the Disaster Recovery section under Cluster Config > Credential Provider > Options is not a valid option, as this section does not exist in the Conjur UI. The Conjur UI does not have a Cluster Config, Credential Provider, or Options section. The Conjur UI has a Cluster Config section under Settings, but this section is used to configure the Conjur cluster settings, such as the master IP address, the follower IP address, and the seed fetcher IP address. These settings are not related to the CP configuration or cache refresh.

 The error message “psql: server closed the connection unexpectedly” means that the server terminated abnormally before or while processing the request. This is likely due to the Leader Load Balancer not being available on the port and replication cannot be established. The port that is the problem is 5432, which is the default port for PostgreSQL database connections. The Follower needs to connect to the Leader Load Balancer on this port to receive the replication data from the Leader. If the port is blocked or unreachable, the Follower will fail to sync with the Leader and display the error message. References: [Set up Follower], [Troubleshoot Follower]

The best way to enable debug for CCP is to edit the web.config file in the AIMWebService folder and change the value of the AIMWebServiceTrace parameter to 4, which is the verbose level. This will generate detailed logs in the AIMWSTrace.log file in the logs folder. The logs folder may need to be created manually and given the appropriate permissions for the IIS_IUSRS group. After changing the web.config file, the Windows Web Server (IIS) service needs to be restarted to apply the changes. This method is recommended by CyberArk Support and documented in the CyberArk Knowledge Base1.

Editing the basic_appprovider.conf file and changing the AIMWebServiceTrace value is not a valid option, as this parameter does not exist in this file. The basic_appprovider.conf file is used to configure the basic provider settings, such as the AppProviderVaultParmsFile, the AppProviderPort, and the AppProviderCacheMode. The AIMWebServiceTrace parameter is only found in the web.config file of the AIMWebService.

In the PVWA, going to the Applications tab, selecting the Application in question, and going to Options > Logging and choosing Debug is not a valid option, as this will only enable debug for the Application Identity Manager (AIM) component, not the CCP component. The AIM component is used to manage the application identities and their access to the Vault. The CCP component is used to provide secure retrieval of credentials from the Vault using web services. Enabling debug for AIM will generate logs in the APPconsole.log, APPtrace.log, and APPaudit.log files in the ApplicationPasswordProvider\Logs folder, but these logs will not help to troubleshoot the CCP authentication issues.

From the command line, running appprvmgr.exe update_config logging=debug is not a valid option, as this will only enable debug for the Application Provider Manager (APM) component, not the CCP component. The APM component is used to manage the configuration and operation of the providers, such as the basic provider, the LDAP provider, and the ENE provider. Running appprvmgr.exe update_config logging=debug will generate logs in the appprvmgr.log file in the ApplicationPasswordProvider\Logs folder, but these logs will not help to troubleshoot the CCP authentication issues. References:

• Enable Debugging and Gather Logs - Central Credential Provider1

Conjur is a secrets management solution that securely stores and manages secrets and credentials used by applications, DevOps tools, and other systems. Conjur provides a REST API that enables users to perform various operations on Conjur objects, such as secrets, policies, roles, and resources. The API endpoint for each Conjur object is composed of the base URL of the Conjur server, followed by the object type and identifier. For example, the API endpoint for a secret named db-password in the dev/my-app policy is:

https:// /secrets/dev/my-app/db-password

To discover secrets inside of Conjur, the API endpoint that can be used is Resources. Resources are Conjur objects that have permissions and annotations associated with them, such as secrets, hosts, groups, and layers. The Resources API endpoint allows users to list, search, and filter resources based on various criteria, such as kind, owner, policy, and annotation. For example, the following API request will return a list of all secrets owned by the user alice:

https:// /resources?kind=variable&owner=user:alice

The Resources API endpoint can help users to discover secrets inside of Conjur by providing information such as the name, ID, policy, owner, and annotations of each secret. Users can also use the Resources API endpoint to check the permissions and audit records of each secret, and to retrieve the secret value if they have the read permission.

References = Conjur API; Resources API; Secrets API

Based on the image you sent, the correct network port to its function in Conjur are:

• 22: required for SSH access
• 443: TLS endpoint for Conjur UI and API
• 444: HTTP health endpoint: simplifies load balancer setup
• 1999: audit events are streamed from the Follower to the Leader (using syslog-ng)
• 5432: required for data replication from the Leader to Standbys and Followers (PostgreSQL)

These are the standard ports and protocols used by the Conjur components to communicate with each other and with external clients. The ports can be customized according to the network and security requirements of the organization. These ports are documented in the CyberArk Secrets Manager documentation1 and the CyberArk Secrets Manager training course2.

This is the correct answer because a minimal Conjur deployment that integrates with an existing CyberArk PAM Vault environment, supports high availability, and is redundant across two geographically disparate regions requires the following servers:

• 2 Linux servers for the Conjur master cluster, one in each region. The master cluster consists of a leader and a standby node that can automatically failover in case of a leader failure. The leader node performs read/write operations on the Conjur database and policy engine, while the standby node replicates the leader data and can be promoted to leader if needed. The master cluster also hosts the Conjur UI and API endpoints.
• 4 Linux servers for the Conjur follower clusters, two in each region. The follower clusters consist of one or more follower nodes that perform read-only operations on the Conjur database and policy engine, such as authentication, authorization, and secret retrieval. The follower clusters are horizontally scalable and can be configured behind a load balancer to handle high volumes of requests from applications and clients. The follower clusters also host the Conjur Synchronizer service, which synchronizes secrets from the CyberArk PAM Vault to the Conjur database.
• 2 Linux servers for the Conjur seed fetcher service, one in each region. The seed fetcher service is a utility that runs on a separate server and periodically fetches the Conjur seed files from the master cluster and distributes them to the follower clusters. The seed files contain the configuration and encryption keys that are required to join a follower node to the Conjur cluster. The seed fetcher service ensures that the follower clusters are always updated with the latest seed files and can join the Conjur cluster without manual intervention.
• 2 Windows servers for the CyberArk Central Credential Provider (CCP), one in each region. The CCP is a component that provides secure and centralized credential management for applications and clients that need to access secrets from the CyberArk PAM Vault. The CCP exposes a web service interface that allows applications and clients to request credentials based on their identity and permissions. The CCP integrates with the Conjur Synchronizer service to retrieve the secrets from the Conjur database and cache them locally for faster access.

Therefore, the total number of servers required for this deployment is 9 Linux servers and 2 Windows servers. This deployment architecture is based on the Conjur documentation1 and the Conjur training course2.

 Conjur Summon is an open source utility that can fetch secrets from Conjur and export them as environment variables to a sub-process environment. This way, the secrets are not exposed or stored in the script, but are only available at run time. To use Conjur Summon, you need to install the summon-conjur provider on each workstation, define the secrets in a secrets.yml file, and wrap the PowerShell script in summon. For example, if the secret ID is win/domain/cred, the secrets.yml file would look like this:

DOMAIN_CRED: !var win/domain/cred

And the summon command would look like this:

summon --provider summon-conjur powershell script.ps1

This will inject the secret value of win/domain/cred as an environment variable named DOMAIN_CRED to the PowerShell script. The script can then access the secret using the $env:DOMAIN_CRED syntax.

References: Summon-inject secrets, cyberark/summon-conjur

This is the correct answer because the SynchronizerReplication.config file contains the configuration settings for the Vault Conjur Synchronizer service (Synchronizer) to sync secrets from the CyberArk Vault to the Conjur database. The SYNCALLPROPERTIES parameter specifies whether to sync all the properties of the accounts in the Vault or only the password property. By default, the SYNCALLPROPERTIES parameter is set to false, which means that only the password property is synced. To sync all the properties, such as the address and the user, the SYNCALLPROPERTIES parameter needs to be set to true. This answer is based on the CyberArk Secrets Manager documentation1 and the CyberArk Secrets Manager training course2.

The other options are not correct because they do not configure the Synchronizer to properly sync all properties. Modifying VaultConjurSynchronizer.exe.config, uncommenting SYNCALLPROPERTIES and updating its value to true is not a valid option, as this file does not contain the SYNCALLPROPERTIES parameter. The VaultConjurSynchronizer.exe.config file contains the configuration settings for the Synchronizer service, such as the log level, the log path, and the service name. The SYNCALLPROPERTIES parameter is only found in the SynchronizerReplication.config file.

Modifying Vault.ini, uncommenting SYNCALLPROPERTIES and updating its value to true is not a valid option, as this file does not contain the SYNCALLPROPERTIES parameter. The Vault.ini file contains the configuration settings for the CyberArk Central Credential Provider (CCP) to connect to the Vault server and provide credentials to the applications. The SYNCALLPROPERTIES parameter is not related to the CCP configuration or functionality.

In the Conjur UI under Cluster > Synchronizer > Config, changing SYNCALLPROPERTIES and updating its value to true is not a valid option, as this section does not exist in the Conjur UI. The Conjur UI does not have a Cluster, Synchronizer, or Config section. The Conjur UI has a Cluster Config section under Settings, but this section is used to configure the Conjur cluster settings, such as the master IP address, the follower IP address, and the seed fetcher IP address. The SYNCALLPROPERTIES parameter is not related to the Conjur cluster configuration or functionality.

= The cause of the issue is that the token is not correctly encoded. A token is a string of characters that represents a credential or an authorization grant for accessing a resource. A token must be encoded according to a specific format and standard, such as Base64, JSON Web Token (JWT), or OAuth 2.0. If the token is malformed, meaning that it does not follow the expected format or standard, the server will reject the token and return an error 401 - Malformed Authorization Token. This error indicates that the token is invalid or expired, and the request is unauthorized. To resolve the issue, the token must be regenerated or refreshed using the correct encoding method and parameters12. References: =

• CyberArk Identity: Getting 401 unauthorized Error when using API calls with OAuth2 Client 2, Resolution 1
• Troubleshoot CyberArk Vault Synchronizer 1, Error: Forbidden Logon Token is Empty - Cannot logon Unauthorized

The CCP (Central Credential Provider) is a tool that enables applications to securely retrieve credentials from CyberArk Secrets Manager without hard-coding or storing them in files. The CCP can be installed on a single server or on multiple servers behind a load balancer for high availability and scalability. The load balancer is a device or service that distributes the network traffic among the CCP servers based on predefined rules and criteria.

The CCP supports multiple methods to authenticate applications, such as Allowed Machines, Client Certificate, OS User, Path, and Hash. These methods are based on registering information in the Vault with the unique application ID. For more information about the supported authentication methods, see Application authentication methods1.

When installing the CCP and configuring it for use behind a load balancer, some authentication methods may be affected by the load balancer’s behavior and settings. Specifically, the following authentication methods may be affected:

• Allowed Machines authentication: This method authenticates applications based on their IP address or hostname. If the load balancer replaces the source IP or hostname of the routed packets with its own IP or hostname, the CCP will not be able to authenticate the application that initiated the credential request. To enable the CCP to resolve the IP or hostname of the application, the load balancer needs to be configured as a transparent proxy or to attach the X-Forwarded-For header to the routed packets. For more information, see Load balance the Central Credential Provider2.
• Client Certificate authentication: This method authenticates applications based on their client certificate that is signed by a trusted certificate authority (CA). The client certificate is used to establish a secure and trusted connection between the application and the CCP. If the load balancer terminates the SSL connection before proxying the traffic to the CCP, the CCP will not be able to verify the client certificate of the application. To enable the CCP to validate the client certificate, the load balancer needs to be configured as a pass-through proxy or to forward the client certificate to the CCP. For more information, see Load balance the Central Credential Provider2.

The other authentication methods are not affected by the load balancer, as they do not rely on the IP, hostname, or certificate of the application. For example, the OS User method authenticates applications based on their Windows domain user, the Path method authenticates applications based on their URL path, and the Hash method authenticates applications based on a hash value that is generated from the application ID and a shared secret. These methods do not require any special configuration on the load balancer or the CCP.

Followers are read-only replicas of the Leader that perform asynchronous replication from the Leader. This means that they receive updates from the Leader periodically, but not in real time. Followers are designed to handle all types of read requests from workloads and applications, such as authentication, permission checks, and secret fetches. Followers can scale horizontally to support a large number of concurrent requests and reduce the load on the Leader. Followers also provide high availability and disaster recovery by serving as backup nodes in case of Leader failure or network partition. References: Set up Follower, Deploy the Conjur Follower, Follower architecture