Correct Answer: C

According to the CyberArk Sentry Secrets Manager documentation, the Secrets Provider for Kubernetes can be deployed as an init container or a sidecar in Push- to-File mode. In Push-to-File mode, the Secrets Provider pushes Conjur secrets to one or more secrets files in a shared volume in the same Pod as the application container. The application container can then consume the secrets files from the shared volume. The deployment option that should be used to support rotation with Push-to-File mode is the sidecar, because the sidecar can run continuously and check for updates to the secrets in Conjur. If changes are detected, the sidecar can update the secrets files in the shared volume. The init container, on the other hand, runs to completion and does not support rotation. The application container and the service broker are not valid deployment options for the Secrets Provider for Kubernetes in Push-to-File mode. References: 1: Secrets Provider - Init container/Sidecar - Push-to-File mode 2: Secrets Provider - init container/sidecar - Push-to-File mode

Correct Answer: A

= The cause of the issue is that the token is not correctly encoded. A token is a string of characters that represents a credential or an authorization grant for accessing a resource. A token must be encoded according to a specific format and standard, such as Base64, JSON Web Token (JWT), or OAuth 2.0. If the token is malformed, meaning that it does not follow the expected format or standard, the server will reject the token and return an error 401 - Malformed Authorization Token. This error indicates that the token is invalid or expired, and the request is unauthorized. To resolve the issue, the token must be regenerated or refreshed using the correct encoding method and parameters12. References: = CyberArk Identity: Getting 401 unauthorized Error when using API calls with OAuth2 Client 2, Resolution 1 Troubleshoot CyberArk Vault Synchronizer 1, Error: Forbidden Logon Token is Empty - Cannot logon Unauthorized

Correct Answer: A

Credential Providers are tools that enable applications to securely retrieve credentials from CyberArk Secrets Manager without hard-coding or storing them in files. Credential Providers can be installed on application servers or on a central server that acts as a proxy for multiple applications. Credential Providers can integrate with Privileged Cloud, which is a cloud-based solution that provides privileged access management as a service. Privileged Cloud integrates with Secrets Manager Credential Providers to manage application credentials as privileged accounts within Privileged Cloud. When working with Credential Providers in a Privileged Cloud setting, a special consideration is that if there are installation issues, troubleshooting may need to involve the Privileged Cloud support team. This is because the installation of Credential Providers in a Privileged Cloud setting requires some additional steps and configurations that are performed by the Privileged Cloud support team. For example, the Privileged Cloud support team needs to configure the connection between Privileged Cloud and Credential Providers, and provide the necessary certificates and keys for secure communication. Therefore, if there are any problems or errors during the installation process, the Privileged Cloud support team may need to assist with the troubleshooting and resolution. The other options are not correct. Credential Providers are supported in a Privileged Cloud setting, as described in the Secrets Manager Credential Providers integration documentation1. The AWS Cloud account number does not need to be defined in the file main appprovider.conf.. found in the AppProviderConf Safe. This file is used to configure the Credential Provider settings, such as the Privileged Cloud URL, the application ID, and the SSL options. The AWS Cloud account number is not relevant for this file. Debug logging for Credential Providers deployed in a Privileged Cloud setting can be enabled or disabled by the Privileged Cloud support team, as described in the Credential Provider installation documentation2. Debug logging can help with troubleshooting and diagnostics, but it does not necessarily exhaust available disk space, as the log files can be rotated and archived. References: Secrets Manager Credential Providers integration; Credential Provider installation

Correct Answer: A

The correct answer is A. On the new Leader, generate a Standby seed for the old Leader node and add it to the cluster member list. Rebuild the old Leader as a new Standby and then re-enroll the node to the cluster. This is the recommended way to repair the cluster health after an auto-failover event, according to the CyberArk Sentry Secrets Manager documentation1. This method reuses the original Leader as a new Standby, without affecting the new Leader or the other Standby. The steps are as follows: On the new Leader, generate a Standby seed for the old Leader node using the command evoke seed standby . This will create a file named .tar in the current directory. On the new Leader, add the old Leader node to the cluster member list using the command evoke cluster add . On the old Leader server, stop and remove the container using the commands docker stop and docker rm . On the old Leader server, copy the Standby seed file from the new Leader using the command scp :.tar . On the old Leader server, create a new container using the same name as the one you just destroyed, and load the Standby seed file using the command docker run --name -d --restart=always -v /var/log/conjur:/var/log/conjur -v /opt/conjur/backup:/opt/conjur/backup -p "443:443" -p "5432:5432" -p "1999:1999" cyberark/conjur:latest seed fetch .tar On the old Leader server, re-enroll the node to the cluster using the command evoke cluster enroll The other options are not correct, as they either involve unnecessary or harmful steps, such as rebuilding the new Leader or the other Standby, or re-uploading the auto-failover policy in replace mode, which may cause data loss or inconsistency.

Correct Answer: D

This is the correct answer because the log file shows the error message "CEADBR009E Failed to load policy through SDK" and the exception message "The number of LOBs exceeds the limit". This indicates that the Vault Conjur Synchronizer service (Synchronizer) encountered a problem when trying to sync the secrets from the CyberArk Vault to the Conjur database using the Conjur SDK. The Conjur SDK is a library that allows the Synchronizer to interact with the Conjur REST API and perform operations on the Conjur resources, such as roles, policies, secrets, and audit records. The number of LOBs refers to the number of lines of business (LOBs) that are configured in the Synchronizer. A LOB is a logical grouping of secrets that belong to a specific business unit or function. Each LOB has its own configuration file that specifies the source safe, the target policy, and the mapping rules for the secrets. The Synchronizer can sync multiple LOBs concurrently using multiple threads. However, there is a limit on the number of threads that the Synchronizer can use, which depends on the hardware and software specifications of the Synchronizer machine. If the number of LOBs exceeds the number of threads, the Synchronizer will not be able to sync all the LOBs and will generate an error. This answer is based on the CyberArk Secrets Manager documentation and the CyberArk Secrets Manager training course.

Correct Answer: A

According to the CyberArk Sentry Secrets Manager documentation, Conjur is a secrets management solution that consists of a leader node and one or more follower nodes. The leader node is responsible for managing the secrets, policies,

and audit records, while the follower nodes are read-only replicas that can serve secrets requests from applications. To achieve high availability in AWS cloud infrastructure, the minimally viable Conjur deployment architecture is to have one

follower in each availability zone (AZ) and a load balancer for the region. This way, if one AZ fails, the applications can still access secrets from another AZ through the load balancer. Having two followers in each region, load balanced for the

region, is not enough to ensure high availability, as a regional outage can affect both followers. Having two followers in each AZ, load balanced for the region, is more than necessary, as one follower per AZ can handle the secrets requests.

Having two followers in each region, load balanced across all regions, is not feasible, as Conjur does not support cross-region replication.

References: 1: Conjur Architecture 2: Deploying Conjur on AWS

Correct Answer: C

C. docker exec evoke ca import --no-restart

This is the correct command to import the root CA certificate into Conjur. The evoke ca import command is used to import a certificate authority (CA) certificate into the Conjur appliance. The certificate can be either a root CA or an

intermediate CA. The --no-restart option prevents the Conjur appliance from restarting after importing the certificate. The parameter specifies the path and name of the root CA certificate file to be imported. This command will

add the root CA certificate to the trusted CA store of the Conjur appliance, which is used to validate the certificates of the clients and servers that communicate with Conjur. This command is documented in the Conjur documentation and the

Conjur training course.

The other options are not correct commands to import the root CA certificate into Conjur. The evoke import command does not exist.

The --root option is not a valid option for the evoke ca import command. The ca import command is not a valid docker exec command.

Correct Answer: C

According to the CyberArk Sentry Secrets Manager documentation, auto- failover is a feature that enables the automatic promotion of a standby node to a leader node in case of a leader failure. Auto-failover requires a quorum, which is a majority of nodes in the cluster that are available and synchronized. A quorum ensures that only one node can be promoted to a leader at a time and prevents split-brain scenarios. In the exhibit, each option shows a network diagram of a load balancer and four nodes, one of which is crossed out with a red X, indicating a leader failure. The text below each diagram indicates whether there is a quorum or not. Option C is the only example where auto- failover will occur, because there is a quorum of three out of four nodes, and one of the standby nodes can be promoted to a leader. Option A will not have auto-failover, because there is no quorum, as only two out of four nodes are available. Option B will not have autofailover, because there is no quorum, as only one out of four nodes is available. Option D will not have auto-failover, because there is no quorum, as none of the nodes are available. References:

1: Auto-failover

2: Configure auto-failover

Correct Answer:

The appropriate Secrets Manager solution for each scenario is as follows: token based retrieval of secrets, such as OIDC or JWT: Conjur workloads requiring the fastest secrets delivery performance possible: ASCP agentless workload authentication that relies on OS User: CCP These solutions are described in the Secrets Management Tools page of the CyberArk website

Correct Answer:

The correct order of the steps is: Define the Application with the desired authentication details Add the Application ID and Application Provider ID to the safe with appropriate permissions Configure application to call the appropriate REST API to retrieve the secret and test To allow an application to retrieve a secret with the CCP, the following steps are required: Define the Application with the desired authentication details: This step involves creating an Application object in the Vault with a unique Application ID and an Application Provider ID. The Application Provider ID is used to identify the CCP instance that will serve the request. The Application object also defines the authentication method and parameters that the application will use to connect to the CCP, such as certificate, password, or AppRole. Add the Application ID and Application Provider ID to the safe with appropriate permissions: This step involves granting the Application object the necessary permissions to access the safe and the secret that it needs. The Application ID and the Application Provider ID are added as members of the safe with at least List and Retrieve permissions. The secret name or ID can also be specified as a restriction to limit the access to a specific secret within the safe. Configure application to call the appropriate REST API to retrieve the secret and test: This step involves configuring the application to send a REST API request to the CCP endpoint with the required parameters, such as the Application ID, the Application Provider ID, the safe name, and the secret name or ID. The application should also provide the authentication credentials or token that match the method defined in the Application object. The application should receive a JSON response from the CCP with the secret value and other metadata. The application should test the connection and the secret retrieval before deploying to production. References: CyberArk Secrets Manager Sentry - Secrets Manager - Sample Items and Study Guide Sentry - Secrets Secrets Management Essentials for Developers