Explanation
This is the most likely cause of this issue because it creates a discrepancy between the passwords stored in the Primary Vault and the DR Vault, which affects the Vault Conjur Synchronizer service (Synchronizer) and the application. The Synchronizer is a service that synchronizes secrets from the CyberArk Vault to the Conjur database. The application is a client that retrieves secrets from the Conjur database using the Conjur REST API. The CPM is a component that manages the lifecycle of the passwords stored in the CyberArk Vault, such as changing, verifying, and reconciling them. If the CPM is writing password changes to the Primary Vault while the Synchronizer is configured to replicate from the DR Vault, the following scenario may occur:
The CPM changes the password for an account in the Primary Vault and updates the password value in the Vault database.
The Synchronizer does not detect the password change in the DR Vault, as the DR Vault database has not been updated yet with the new password value.
The Synchronizer does not sync the new password value to the Conjur database, as it assumes that the password value in the DR Vault database is the latest and correct one.
The application requests the password value from the Conjur database and receives the old password value, which is different from the new password value in the Primary Vault database.
The application tries to use the old password value to access the target platform or device and fails, as the target platform or device expects the new password value.
This answer is based on the CyberArk Secrets Manager documentation1 and the CyberArk Secrets Manager training course2.