Cyber-Ark lesson

PVWA
Password Vault Web Access
Cyber-Ark Product Suite

Enterprise Application Privileged Compliance SDV IBV

Password Identity Session and Policy Sharing and Secure Manage File
Vault™ Manager™ Manager™ Manager™ Collaboration Transfer

Privilege Identity Management Highly Sensitive Information

Infrastructure Management

Digital Vault

2
 PIM Basic Operation

System User Pass cqg8@fz

gviNa9%
iaX3f#!
X5$aq+p
p9U7%gG
lm7yT5w
iIt$8sa
Unix root tops3cr3t Initial
Windows Administrat tops3cr3t Password
Define
Access &
synchronization
Policies
or
Periodic
Initial Reset
Resets
tops3cr3t (auto discovery,
Reports bulk upload,
Oracle SYS manual)
tops3cr3t
z/OS DB2ADMIN tops3cr3t Central Policy
Manager
Cisco enable

Supported platforms:
(partial list)
• PIM Workflows
Operating and Policy
systems: UNIX (Solaris, AIX,
HP/UX), Linux, Windows, i5/OS, z/OS,
VMWare ESX
Enforcement: Report
Policy
(partial
• Databases: Oracle, DB/2, list)
SQLServer,
• Password Access
Informix, Sybase, MySQL Vault
• Dual control
• Applications: SAP IT/Auditor
• Integration
• Security withFirewall-1,
Appliances: Ticketing IPSO,
systems
• One-time Passwords,
SPLAT, PIX, Netscreen, Fortigateexclusivity
•• Network
PrivilegedDevices:
SSO Cisco, Juniper, Alcatel,
• Secure
Quintom, F5 Remote Connection
• Transparent
• Directories: Active Connection
Directory, SunONE,
eDirectory, Kerberos, NIS
• Remote Control: HP-iLO, ALOM, HMC Security/
Policy Risk Management
• Generic: Any telnet/SSH device, pluggable
architecture Password Vault
Web Access
3
Objectives

• Section (i): basic topics

– Searching for passwords
– Retrieving passwords – show, copy, connect
– Locking Passwords
– Requests and confirmations
– Changing my own password
– Inspecting activities
– Watching Versions
– Supplying a reason
– Customizing and personalizing the GUI
screens
4
Introduction

• Web Interface dedicated to password

access and management
• Installed on a web server in the
organization
• Using a secure connection (https)
• Access from anywhere
• Access by typing a URL in the explorer
line:
https://<computer-name>/PasswordVault

5
 Authentication
Type in your user and password

6
Accessing Passwords

• Frequently tab – passwords accessed most often

• Recently tab- passwords accessed lately
• How frequently? How Recently? - configurable

7
Searching for Passwords

• Type a search word in the search tab

– You can specify up to four keywords, separated by
commas
• Press Go button
• To display all passwords, press go button

8
Retrieving Passwords

• Show Password – displays on screen

• Copy Password – copies in order to paste
in remote connection screen
• Connect with Password – to use the
password without knowing it (RDP + SSH).

9
Connect

10
Password Details

Click on one password to enter the Password details screen:

11
Password Details cont.

• CPM tab –
– shows the status of the password regarding
current actions of the CPM.
• The password in the picture has an error
–Shows additional password details that are
linked with the CPM tasks

12
CPM Error

13
Password Details cont.

• Activities tab –
– Display all actions that were carried out on the
password and by which user
– To watch activities – click the activities tab

14
Watching Versions

• Click
the versions tab to see all last version and who
created them
• You can show, copy or try to connect with each version

15
Locking Passwords

• Some passwords safes enforce exclusive

passwords – passwords are locked when opened
by user

• When standing over the lock icon you can see

who is currently locking the password if you
have Monitor Safe Permission

16
Locking Passwords

• When you log in, you will see the passwords

you are locking in the My Passwords screen:

• In order to release a password, press the Release

button in the password details screen. The CPM will
mark the password for immediate release. If not
released by a user, the CPM will release the
password after a predefined amount of time.

17
Requests and confirmations –
submitting a request

• A password that requires confirmation

has an additional icon:

• In order to view it - a confirmation

from an authorized owner is needed.
• Click the show/copy/connect button and a
request screen will be loaded.

18
Requests and confirmations –
submitting a request
• Fill in reason and additional details.
• The request can be confirmed by any of the
authorized users/groups written at the bottom.

19
Requests and confirmations –
confirming a request
• When an authorized confirmer logs in, the
desktop will show:

• Click on the link to present the requests

waiting for your approval.

20
Requests and confirmations

• Click on a request to get the confirmation

screen:

21
Requests and confirmations –
receiving the confirmation

• After request is approved, when logging in, you

will see the following:

• Click on the link, you will see the approval

screen with a link to the password object
screen, where you will be able to press the
show/copy/connect buttons

22
Supplying a reason

• In order to retrieve passwords a reason can be

enforced.
• Click to see the password and the following
screen will appear:

• Supply a reason and password will be retrieved.

• Reasons can be watched in the activities tab
23
Customizing

• Click the Customize button to enter

the customizing screen

24
Customizing

• In the Customize
Screen you can:
–Choose the default
view (Dashboard,
passwords, files)
–Choose default tab
(frequently,
Recently)
–Choose how many
password or file
objects to display
in a page
–Change your own
password
25
Cyber-Ark lesson

PVWA – Advanced Featured

Objectives

• Section (ii): advanced topics

–The Dashboard
–Adding passwords
–Deleting passwords
–Changing passwords via the Change button
–Verifying passwords via the Verify button
–Reconciling passwords via the reconcile button
–Disabling automatic management and resuming
–Integration with ticketing systems (if
relevant)
–Password groups
–Creating and Managing Files in the PVWA
27
The Dashboard

• Authorized users are able by default to see the

dashboard (PVWAMonitor)

28
Adding Passwords

• Click the Add Account button and the Add Account tab
will appear
Note: This button
will only be
displayed if you
have Store
authorization in at
least one Safe.

29
Adding Accounts

• From the drop-down Safe list, select the Safe

where the account object will be stored.
• From the drop-down device list, select the type
of device on which the new account is used.
• Required or optional properties for the type of
password that you have selected will appear
automatically, according to the definitions in
the device and policies configuration file.
• In the Password field, specify the password.
• Confirm Password field, specify the password
again.
• To generate a password name automatically,
select Auto-
Auto-generated..
generated
• To specify a password name, enter the name in
the Custom field.

30
Deleting Accounts

• Click on a account to enter the account

Details Screen
• Click on the delete icon in the icon bar

• You will be prompted to confirm the

deletion
• Click on the delete icon in the icon bar
• A password details tab will be shown
with no activity buttons except the
following:
31
Verifying Accounts

• To activate an immediate verification process

by the CPM:
– Enter account details tab
– Click the verify button
– You will be prompted to confirm the action
• The CPM tab will show the following

• The result of the action will be presented in

the CPM tab
• Click the Cancel button in order to cancel the
operation 32
Reconciling Passwords

• A reconcile Account is needed

• To activate an immediate Reconciliation process
by the CPM:
– Enter password details tab
– Click the Reconcile button
– You will be prompted to confirm the action
• The CPM tab will show the following

• The result of the action will be presented in

the CPM tab
33
Disabling Automatic
management

• Two ways to disable Automatic

Management:
–Via the PVWA
–Automatically

34
Disabling Automatic
management - PVWA
• Edit Password Screen:

• In the CPM tab: “Automatic Management for this password is disabled”

35
Disabling Automatic
management - Automatically

• CPM will automatically disable automatic

management in the following cases:
–After trying to change a password and
receiving error numbers written in the
UnrecoverableErrors field in the policy
–After failing to change a password and
reaching the maximum amount of retries
configured in the policy
• To see reason for disabling – click on
the error or more details buttons

36
Resuming Automatic
management

• To resume automatic management from a

failure or manual disabling, press the
resume button in the file details
screen, CPM tab

37
Move Accounts Between Safes

• Move accounts between Safes

–Multiple selection support for moving
accounts between Safes
–Deletes and recreates the account, including:
• Password content
• Password properties
• Usages
• Recreates group master
–Does not move:
• Audit log
• Versions
• Links to the account
• OLAC rules
• Existing dual control requests
38
Password Groups

• The CPM can manage groups of passwords objects, so that

all the passwords contained in the members of a group
are changed together. After the password change
process, all the members of the password group will
have the same password.

• The group is assigned to a policy file that determines

when the password will be changed and the restrictions
that the password will have. Each group member will be
changed by the plug-in specified in the policy file
assigned to the password object (different devices can
be in the same group).

39
Ticketing Systems – dual
control

• Integration with ticketing System can

happen at two points
–When the request to view a password is made:
a ticket can be opened in the ticketing
system
– When the request to view a password is
made: confirmation can be made in the
ticketing system and retrieved by the vault.
• Development using the ticketing system
API must be done

40
Files

• To work with files use the files tab

• Possible action: upload, download, open

41
Summary

• Retrieving Passwords
• Managing Passwords
• Workflow features
• Refer to implementation guide for more
info

42
Q&A