B. Review the log file ‘CreateEnv.log’ and investigate any error messages it contains.

This is the best option because the CreateEnv.log file records the steps and results of creating the CP environment in the Vault during the installation. The CP environment includes the safe, the provider user, the application user, and the application identity. If any errors occurred when creating the CP environment, they will be logged in this file and may indicate a problem with the Vault connection, the credential file, the permissions, or the configuration. Reviewing the log file can help to identify and resolve the root cause of the errors and ensure the CP environment is properly set up.

Continuing configuring the application to use the CP without further action is not a good option because it may lead to unexpected or inconsistent behavior of the CP or the application. The errors that occurred when creating the CP environment may affect the security, availability, or integrity of the credentials or the application. Ignoring the errors may also make it harder to troubleshoot or fix them later.

Running setup.exe again and selecting ‘Recreate Vault Environment’ is not a good option because it may overwrite or delete the existing CP environment and cause more errors or conflicts. Recreating the Vault environment should only be done after reviewing the log file and understanding the cause of the errors. Moreover, recreating the Vault environment may require more privileges than creating it for the first time, as some objects may be already in use or locked.

Reviewing the PVWA logs to determine which REST API call used during the installation failed is not a good option because it may not provide enough information or context to understand or resolve the errors. The PVWA logs may show the HTTP status codes or messages of the REST API calls, but they may not show the details or parameters of the calls or the responses. The PVWA logs may also contain other unrelated or irrelevant entries that may confuse or distract from the errors. The CreateEnv.log file is a more specific and reliable source of information for the errors that occurred when creating the CP environment.

This is the correct answer because the Conjur Token is a JSON Web Token (JWT) that is signed by the Conjur master and contains the identity and permissions of the application. The Conjur Token is stateless, meaning that it does not depend on any stored session or transaction information on the server side. Therefore, any Conjur follower can validate the Token by verifying the signature and the expiration time, and satisfy the request by retrieving the credential from the local database. This allows the Conjur followers to be horizontally scalable and load balanced, and to provide high availability and performance for the applications. This answer is based on the Conjur documentation1 and the Conjur training course2.

Conjur Followers are read-only replicas of the Leader that can serve client requests for authentication, authorization, and secret retrieval. However, Followers cannot perform write operations, such as creating or updating secrets, policies, or roles. If the Leader becomes unavailable, the Followers will not be able to sync with the latest data and will eventually become stale. To ensure high availability and data consistency, the customer should extend the auto-failover cluster to include Standbys in each data center. Standbys are also replicas of the Leader, but they can participate in replication and promotion. One Standby is configured for synchronous replication, which means it receives the same updates as the Leader at the same time. The other Standbys are configured for asynchronous replication, which means they receive updates from the Leader periodically, but not in real time. In case of Leader failure, the synchronous Standby can be automatically promoted to become the new Leader, and one of the asynchronous Standbys can become the new synchronous Standby. This way, the customer can ensure that there is always an up-to-date Leader that can serve write requests and sync with the Followers in different data centers. References: Set up Follower, Set up auto-failover cluster, Conjur architecture and deployment reference

The correct answer is A. On the new Leader, generate a Standby seed for the old Leader node and add it to the cluster member list. Rebuild the old Leader as a new Standby and then re-enroll the node to the cluster.

This is the recommended way to repair the cluster health after an auto-failover event, according to the CyberArk Sentry Secrets Manager documentation1. This method reuses the original Leader as a new Standby, without affecting the new Leader or the other Standby. The steps are as follows:

• On the new Leader, generate a Standby seed for the old Leader node using the command evoke seed standby . This will create a file named .tar in the current directory.
• On the new Leader, add the old Leader node to the cluster member list using the command evoke cluster add .
• On the old Leader server, stop and remove the container using the commands docker stop  and docker rm .
• On the old Leader server, copy the Standby seed file from the new Leader using the command scp :.tar .
• On the old Leader server, create a new container using the same name as the one you just destroyed, and load the Standby seed file using the command docker run --name -d --restart=always -v /var/log/conjur:/var/log/conjur -v /opt/conjur/backup:/opt/conjur/backup -p "443:443" -p "5432:5432" -p "1999:1999" cyberark/conjur:latest seed fetch .tar
• On the old Leader server, re-enroll the node to the cluster using the command evoke cluster enroll

The other options are not correct, as they either involve unnecessary or harmful steps, such as rebuilding the new Leader or the other Standby, or re-uploading the auto-failover policy in replace mode, which may cause data loss or inconsistency.

According to the CyberArk Sentry Secrets Manager documentation, Conjur is a secrets management solution that consists of a leader node and one or more follower nodes. The leader node is responsible for managing the secrets, policies, and audit records, while the follower nodes are read-only replicas that can serve secrets requests from applications. To achieve high availability in AWS cloud infrastructure, the minimally viable Conjur deployment architecture is to have one follower in each availability zone (AZ) and a load balancer for the region. This way, if one AZ fails, the applications can still access secrets from another AZ through the load balancer. Having two followers in each region, load balanced for the region, is not enough to ensure high availability, as a regional outage can affect both followers. Having two followers in each AZ, load balanced for the region, is more than necessary, as one follower per AZ can handle the secrets requests. Having two followers in each region, load balanced across all regions, is not feasible, as Conjur does not support cross-region replication. References: 1: Conjur Architecture 2: Deploying Conjur on AWS

= The cause of the issue is that the token is not correctly encoded. A token is a string of characters that represents a credential or an authorization grant for accessing a resource. A token must be encoded according to a specific format and standard, such as Base64, JSON Web Token (JWT), or OAuth 2.0. If the token is malformed, meaning that it does not follow the expected format or standard, the server will reject the token and return an error 401 - Malformed Authorization Token. This error indicates that the token is invalid or expired, and the request is unauthorized. To resolve the issue, the token must be regenerated or refreshed using the correct encoding method and parameters12. References: =

• CyberArk Identity: Getting 401 unauthorized Error when using API calls with OAuth2 Client 2, Resolution 1
• Troubleshoot CyberArk Vault Synchronizer 1, Error: Forbidden Logon Token is Empty - Cannot logon Unauthorized

The log entry shows a failed authentication attempt with Conjur using the authn-jwt method. This method allows applications to authenticate with Conjur using JSON Web Tokens (JWTs) that are signed by a trusted identity provider. In this case, the application is Jenkins, which is a CI/CD tool that can integrate with Conjur using the Conjur Jenkins plugin. The plugin allows Jenkins to securely retrieve secrets from Conjur and inject them as environment variables into Jenkins pipelines or projects.

The log entry indicates that the JWT sent by Jenkins was rejected by Conjur because of an SSL connection error. The error message says that the certificate chain of Jenkins could not be verified by Conjur, and that the certificate authority (CA) that signed the Jenkins certificate was unknown to Conjur. This means that the Jenkins certificate chain is not trusted by Conjur, and that Conjur does not have the CA certificate of Jenkins in its trust store. Therefore, Conjur cannot establish a secure and trusted connection with Jenkins, and cannot validate the JWT signature.

To fix this problem, the Jenkins certificate chain needs to be trusted by Conjur. This can be done by copying the CA certificate of Jenkins to the Conjur server, and adding it to the Conjur trust store. The Conjur trust store is a directory that contains the CA certificates of the trusted identity providers for the authn-jwt method. The Conjur server also needs to be restarted for the changes to take effect.

References = Conjur Jenkins Plugin; Conjur JWT Authentication; Conjur Trust Store