Exam Secret-Sen Topic 1 Question 42 Discussion
Actual exam question for CyberArk's Secret-Sen exam
Question #: 42
Topic #: 1
Question #: 42
Topic #: 1
After manually failing over to your disaster recovery site (Site B) for testing purposes, you need to failback to your primary site (Site A).
Which step is required?
Which step is required?
Suggested Answer: C Vote an answer
Explanation
According to the CyberArk Sentry Secrets Manager documentation1, the steps to failback to the primary site after a manual failover to the disaster recovery site are as follows:
On the DR site, stop the Conjur Leader node using the command docker stop <container-name>.
On the primary site, generate a seed for the new Leader node using the command evoke seed leader
<new-leader-fqdn>. This will create a file named <new-leader-fqdn>.tar in the current directory.
On the primary site, copy the Leader seed file to the new Leader server using the command scp
<new-leader-fqdn>.tar <new-leader-fqdn>:<new-leader-fqdn>.tar
On the new Leader server, create a new container using the same name as the one you just stopped, and load the Leader seed file using the command docker run --name <container-name> -d --restart=always
-v /var/log/conjur:/var/log/conjur -v /opt/conjur/backup:/opt/conjur/backup -p "443:443" -p "5432:5432"
-p "1999:1999" cyberark/conjur:latest seed fetch <new-leader-fqdn> <new-leader-fqdn>.tar On the new Leader server, configure the Conjur Leader node using the command evoke configure leader
-h <new-leader-fqdn> -p <admin-password>
On the new Leader server, reconfigure the Vault Conjur Synchronizer to point to the new Conjur Leader using the command evoke vault sync set <vault-fqdn> <vault-user> <vault-password> <conjur-fqdn>
<conjur-account> <conjur-user> <conjur-password>
On the DR site, generate a seed for the new Standby node using the command evoke seed standby
<new-standby-fqdn>. This will create a file named <new-standby-fqdn>.tar in the current directory.
On the DR site, copy the Standby seed file to the new Standby server using the command scp
<new-standby-fqdn>.tar <new-standby-fqdn>:<new-standby-fqdn>.tar
On the new Standby server, create a new container using the same name as the one you just stopped, and load the Standby seed file using the command docker run --name <container-name> -d --restart=always
-v /var/log/conjur:/var/log/conjur -v /opt/conjur/backup:/opt/conjur/backup -p "443:443" -p "5432:5432"
-p "1999:1999" cyberark/conjur:latest seed fetch <new-leader-fqdn> <new-standby-fqdn>.tar On the new Standby server, re-enroll the node to the cluster using the command evoke cluster enroll
<new-standby-fqdn>
The other options are not correct, as they are either unnecessary or incorrect. Contacting CyberArk for a new license file is not required, as the license is valid for both sites. Reconfiguring the Vault Conjur Synchronizer to point to the new Conjur Leader is a step that should be done on the new Leader server, not on the DR site.
Triggering autofailover to promote the Standby in Site A to Leader is not possible, as the Standby node is not aware of the manual failover and will not accept the promotion request.
According to the CyberArk Sentry Secrets Manager documentation1, the steps to failback to the primary site after a manual failover to the disaster recovery site are as follows:
On the DR site, stop the Conjur Leader node using the command docker stop <container-name>.
On the primary site, generate a seed for the new Leader node using the command evoke seed leader
<new-leader-fqdn>. This will create a file named <new-leader-fqdn>.tar in the current directory.
On the primary site, copy the Leader seed file to the new Leader server using the command scp
<new-leader-fqdn>.tar <new-leader-fqdn>:<new-leader-fqdn>.tar
On the new Leader server, create a new container using the same name as the one you just stopped, and load the Leader seed file using the command docker run --name <container-name> -d --restart=always
-v /var/log/conjur:/var/log/conjur -v /opt/conjur/backup:/opt/conjur/backup -p "443:443" -p "5432:5432"
-p "1999:1999" cyberark/conjur:latest seed fetch <new-leader-fqdn> <new-leader-fqdn>.tar On the new Leader server, configure the Conjur Leader node using the command evoke configure leader
-h <new-leader-fqdn> -p <admin-password>
On the new Leader server, reconfigure the Vault Conjur Synchronizer to point to the new Conjur Leader using the command evoke vault sync set <vault-fqdn> <vault-user> <vault-password> <conjur-fqdn>
<conjur-account> <conjur-user> <conjur-password>
On the DR site, generate a seed for the new Standby node using the command evoke seed standby
<new-standby-fqdn>. This will create a file named <new-standby-fqdn>.tar in the current directory.
On the DR site, copy the Standby seed file to the new Standby server using the command scp
<new-standby-fqdn>.tar <new-standby-fqdn>:<new-standby-fqdn>.tar
On the new Standby server, create a new container using the same name as the one you just stopped, and load the Standby seed file using the command docker run --name <container-name> -d --restart=always
-v /var/log/conjur:/var/log/conjur -v /opt/conjur/backup:/opt/conjur/backup -p "443:443" -p "5432:5432"
-p "1999:1999" cyberark/conjur:latest seed fetch <new-leader-fqdn> <new-standby-fqdn>.tar On the new Standby server, re-enroll the node to the cluster using the command evoke cluster enroll
<new-standby-fqdn>
The other options are not correct, as they are either unnecessary or incorrect. Contacting CyberArk for a new license file is not required, as the license is valid for both sites. Reconfiguring the Vault Conjur Synchronizer to point to the new Conjur Leader is a step that should be done on the new Leader server, not on the DR site.
Triggering autofailover to promote the Standby in Site A to Leader is not possible, as the Standby node is not aware of the manual failover and will not accept the promotion request.
by Leo at May 03, 2026, 11:54 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).