References:

• CyberArk Sentry Secrets Manager documentation: https://docs.cyberark.com/Portal/Content/Resources/_TopNav/cc_Portal.htm
• CyberArk Sentry Secrets Manager course materials: https://training.cyberark.com/learn
• CyberArk whitepapers and technical resources: https://www.cyberark.com/resources/home/cyberark-secrets-manager

• The authentication flow begins with the requester presenting their credentials to Conjur. This can be in the form of a username and password, an API key, or another supported method.
• Conjur verifies the presented credentials against its internal database. If the credentials are valid, Conjur generates and returns a short-lived access token to the requester.
• The requester includes the access token with every subsequent request to access Conjur resources. This allows Conjur to identify the requester and authorize their access to specific secrets and functionalities based on configured policies.
• Finally, each request is evaluated against the Conjur RBAC (Role-Based Access Control) rules defined in its policy. These rules determine which users and roles have access to specific resources and what actions they can perform. Only requests that comply with these rules are granted access.

In the event of a Leader failure, you can perform a manual failover to promote one of the Standbys to be the new Leader. The manual failover process consists of the following steps:

• Suspend replication for all Standbys and Followers and identify the best failover candidate. This step ensures that no data is lost or corrupted during the failover process. The best failover candidate is the Standby with the most advanced replication timeline, which means it has the most up-to-date data from the Leader.
• Promote the failover candidate to be the new Leader. This step changes the role of the failover candidate from a Standby to a Leader, and updates its configuration accordingly. The new Leader can now accept write requests from clients and replicate data to other nodes.
• Restore replication. This step re-establishes the replication connections between the new Leader and the other nodes, and rebases the replication of the other Standbys and Followers to the new Leader. This ensures that all nodes have the same data and are in sync with the new Leader.

References: The manual failover configuration steps are explained in detail in the Configure Manual Failover section of the CyberArk Conjur Enterprise documentation. The image in the question is taken from the same source.

 The correct order of the steps is:

• Define the Application with the desired authentication details
• Add the Application ID and Application Provider ID to the safe with appropriate permissions
• Configure application to call the appropriate REST API to retrieve the secret and test

Explanation: To allow an application to retrieve a secret with the CCP, the following steps are required:

• Define the Application with the desired authentication details: This step involves creating an Application object in the Vault with a unique Application ID and an Application Provider ID. The Application Provider ID is used to identify the CCP instance that will serve the request. The Application object also defines the authentication method and parameters that the application will use to connect to the CCP, such as certificate, password, or AppRole.
• Add the Application ID and Application Provider ID to the safe with appropriate permissions: This step involves granting the Application object the necessary permissions to access the safe and the secret that it needs. The Application ID and the Application Provider ID are added as members of the safe with at least List and Retrieve permissions. The secret name or ID can also be specified as a restriction to limit the access to a specific secret within the safe.
• Configure application to call the appropriate REST API to retrieve the secret and test: This step involves configuring the application to send a REST API request to the CCP endpoint with the required parameters, such as the Application ID, the Application Provider ID, the safe name, and the secret name or ID. The application should also provide the authentication credentials or token that match the method defined in the Application object. The application should receive a JSON response from the CCP with the secret value and other metadata. The application should test the connection and the secret retrieval before deploying to production.

References:

• CyberArk Secrets Manager
• Sentry - Secrets Manager - Sample Items & Study Guide
• Sentry - Secrets
• Secrets Management Essentials for Developers

To upgrade an HA Conjur cluster, you need to follow these steps:

• Stop and rename the Conjur Leader container and then start the new Leader. This step ensures that you have a backup of the old Leader container in case something goes wrong with the upgrade. You also need to specify the hostname and master-altnames parameters when starting the new Leader container to match the load balancer and the cluster nodes.
• Restore the Leader from backup. This step restores the data and configuration from the old Leader to the new Leader. You need to use the evoke restore command with the backup file name and the account name as arguments.
• Redeploy to the Standbys. This step upgrades the Standbys to the same version as the Leader. You need to stop and rename the old Standby containers and then start the new Standby containers with the evoke configure standby command. You also need to specify the hostname of the Leader and the Standby as arguments.
• Enroll the Leader and Standbys into the auto-failover cluster. This step enables the auto-failover feature for the cluster, which allows the Standbys to automatically take over the role of the Leader in case of a failure. You need to use the evoke cluster enroll command on the Leader and the evoke cluster join command on the Standbys. You also need to provide the hostname and password of the Leader as arguments.

References: You can find more information about the upgrade process in the following resources:

• Upgrade Conjur
• Configure the Conjur cluster
• Conjur architecture and deployment reference
• Breathe Easy with a Self-Healing Conjur Cluster