SECRET-SEN Exam Dumps - CyberArk Certification Questions and Answers

C. docker exec evoke ca import – –no-restart

This is the correct command to import the root CA certificate into Conjur. The evoke ca import command is used to import a certificate authority (CA) certificate into the Conjur appliance. The certificate can be either a root CA or an intermediate CA. The – –no-restart option prevents the Conjur appliance from restarting after importing the certificate. The parameter specifies the path and name of the root CA certificate file to be imported. This command will add the root CA certificate to the trusted CA store of the Conjur appliance, which is used to validate the certificates of the clients and servers that communicate with Conjur. This command is documented in the Conjur documentation1 and the Conjur training course2.

The other options are not correct commands to import the root CA certificate into Conjur. The evoke import command does not exist. The – –root option is not a valid option for the evoke ca import command. The ca import command is not a valid docker exec command.

= Summon is a command-line tool that provides on-demand secrets access for common DevOps tools. It reads a file in secrets.yml format and injects secrets as environment variables into any process. The secrets.yml file is where you define which secrets to retrieve from a trusted store, such as CyberArk Secrets Manager. The secrets.yml file specifies the name and location of each secret, as well as the environment variable to assign it to. For example, a secrets.yml file could look like this:

DB_USERNAME: !var dev/my-app/db-username DB_PASSWORD: !var dev/my-app/db-password

This means that Summon will fetch the values of dev/my-app/db-username and dev/my-app/db-password from the trusted store, and assign them to the environment variables DB_USERNAME and DB_PASSWORD, respectively. Then, Summon will run the specified process with these environment variables set, and remove them once the process exits. This way, Summon enables secure and convenient access to secrets without exposing them in plain text or storing them in files.

References = Summon by cyberark - GitHub Pages; Using Summon to Manage Secrets as You Move From Dev to Prod

The error message indicates that the authenticator webservice is not enabled on the Conjur server. To enable the authenticator, you need to modify the conjur.conf file in the /opt/conjur/etc directory and add the authenticator webservice ID to the CONJUR_AUTHENTICATORS environment variable. For example, if the authenticator webservice ID is authn-k8s/prd-cluster-01, you need to add it to the existing value of CONJUR_AUTHENTICATORS, separated by a comma. Then, you need to restart the Conjur service for the changes to take effect. This will enable the authenticator on the Conjur server and allow the Kubernetes application to authenticate to the Follower load balancer. References: Enable the Authenticator Webservice, Configure the Authenticator Webservice

 According to the CyberArk Sentry Secrets Manager documentation, the Secrets Provider for Kubernetes can be deployed as an init container or a sidecar in Push-to-File mode. In Push-to-File mode, the Secrets Provider pushes Conjur secrets to one or more secrets files in a shared volume in the same Pod as the application container. The application container can then consume the secrets files from the shared volume. The deployment option that should be used to support rotation with Push-to-File mode is the sidecar, because the sidecar can run continuously and check for updates to the secrets in Conjur. If changes are detected, the sidecar can update the secrets files in the shared volume. The init container, on the other hand, runs to completion and does not support rotation. The application container and the service broker are not valid deployment options for the Secrets Provider for Kubernetes in Push-to-File mode. References: 1: Secrets Provider - Init container/Sidecar - Push-to-File mode 2: Secrets Provider - init container/sidecar - Push-to-File mode