0% found this document useful (0 votes)

954 views145 pages

PAS Install Lab Guide - v11.2

Uploaded by

Muhammad Irfan Efendi Sinulingga

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

954 views145 pages

PAS Install Lab Guide - v11.2

Uploaded by

Muhammad Irfan Efendi Sinulingga

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 145

CyberArk University

PAS Install Lab Guide

Exercise Guide
Contents
INTRODUCTION........................................................................................................................................................ 4
USING SKYTAP .......................................................................................................................................................... 4
INTERNATIONAL USERS ............................................................................................................................................... 6
SCENARIO .............................................................................................................................................................. 10
EPV INSTRUCTIONS ................................................................................................................................................ 11
VAULT INSTALLATION ............................................................................................................................................ 12
BEFORE INSTALLATION.............................................................................................................................................. 12
VAULT SERVER INSTALLATION..................................................................................................................................... 14
PRIVATEARK CLIENT INSTALLATION.............................................................................................................................. 24
POST VAULT INSTALLATION ....................................................................................................................................... 27
INSTALL PASSWORD VAULT WEB ACCESS .............................................................................................................. 28
INSTALL IIS PRE-REQUISITE SOFTWARE USING AUTOMATIC PREREQUISITES SCRIPT .................................................................. 28
IMPORT TRUSTED CERTIFICATES FOR WEBHOSTING......................................................................................................... 29
REQUIRE HTTP OVER SSL (PVWA) ............................................................................................................................ 30
INSTALL PVWA ...................................................................................................................................................... 31
HARDENING THE CYBERARK PVWA SERVERS ................................................................................................................ 34
CONFIGURE IIS REDIRECTION ..................................................................................................................................... 37
INSTALL THE PRIVATEARK CLIENT ON THE COMPONENT SERVER.......................................................................................... 38
TEST PVWA LOAD BALANCING .................................................................................................................................. 39
INSTALL CPM (DISTRIBUTED) ................................................................................................................................. 40
INSTALL 1ST CPM .................................................................................................................................................... 40
POST CPM INSTALLATION ......................................................................................................................................... 43
INSTALL 2ND CPM.................................................................................................................................................... 43
POST CPM INSTALLATION ......................................................................................................................................... 44
RENAME 1ST CPM ................................................................................................................................................... 45
UPDATE THE NAME OF THE CPM IN THE PVWA............................................................................................................. 47
HARDEN THE CPM SERVER ........................................................................................................................................ 47
INTEGRATIONS ....................................................................................................................................................... 50
LDAP AUTHENTICATION (OVER SSL) ........................................................................................................................... 50
SMTP INTEGRATION................................................................................................................................................ 56
SIEM INTEGRATION................................................................................................................................................. 59
NTP INTEGRATION .................................................................................................................................................. 62
AUTHENTICATION TYPES ....................................................................................................................................... 65
RADIUS AUTHENTICATION ....................................................................................................................................... 65
PKI AUTHENTICATION .............................................................................................................................................. 71
TWO FACTOR AUTHENTICATION (2FA) ........................................................................................................................ 75
EPV TESTING AND VALIDATION ............................................................................................................................. 76
ADD WINDOWS DOMAIN ACCOUNT ............................................................................................................................ 77
ADD WINDOWS SERVER LOCAL ACCOUNT..................................................................................................................... 77
ADD LINUX ROOT ACCOUNT ...................................................................................................................................... 78
ADD ORACLE DATABASE ACCOUNT.............................................................................................................................. 78
PAS Install Lab Guide

INSTALL PSM .......................................................................................................................................................... 80

INSTALL A STANDALONE PSM INSTALLATION ........................................................................................................ 81
PSM INSTALLATION PREREQUISITES ............................................................................................................................ 81
PSM INSTALLATION ................................................................................................................................................. 84
PSM POST INSTALLATION ......................................................................................................................................... 87
PSM HARDENING ................................................................................................................................................... 88
PSM TESTING AND VALIDATION ................................................................................................................................. 90
LOAD BALANCED PSM SERVERS............................................................................................................................. 92
CONFIGURE PSM LOAD BALANCING ............................................................................................................................ 92
UPDATE RDS CERTIFICATE ........................................................................................................................................ 94
PSM FOR SSH INSTALLATION ................................................................................................................................. 95
SECURING CYBERARK ........................................................................................................................................... 101
LOCK DOWN A USER’S INTERFACE ............................................................................................................................. 101
USE RDP OVER SSL ............................................................................................................................................... 102
MANAGE LDAP BINDACCOUNT ............................................................................................................................... 107
MANAGE PSMCONNECT/PSMADMINCONNECT USING THE CPM ................................................................................... 108
MANAGE CYBERARK ADMINISTRATOR ACCOUNT USING THE CPM ................................................................................... 113
CONNECT WITH PSM-PRIVATEARK CLIENT ................................................................................................................. 114
CONNECT USING PSM-PVWA-CHROME ................................................................................................................... 117
CYBERARK VAULT BACKUP .................................................................................................................................. 120
ENABLE THE BACKUP AND DR USERS ......................................................................................................................... 120
INSTALL THE PRIVATEARK REPLICATOR COMPONENT ..................................................................................................... 123
CREATE A WINDOWS SCHEDULED TASK ...................................................................................................................... 125
TESTING THE BACKUP/RESTORE PROCESS ................................................................................................................... 127
DISASTER RECOVERY............................................................................................................................................ 129
INSTALL THE DISASTER RECOVERY MODULE ................................................................................................................. 129
VALIDATE REPLICATION .......................................................................................................................................... 131
EXECUTE AUTOMATIC FAILOVER TEST ........................................................................................................................ 132
EXECUTE FAILBACK PROCEDURE USING MANUAL FAILOVER ............................................................................................ 135
(OPTIONAL) EXERCISES ........................................................................................................................................ 140
ADDING FIREWALL RULES TO THE VAULT MANUALLY ..................................................................................................... 140
LOGGING ON WITH THE MASTER USER ...................................................................................................................... 140
ADVANCED PSMP IMPLEMENTATION ........................................................................................................................ 141

CyberArk University Exercise Guide Page 2

© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and mechanical,
without the express prior written permission of Cyber-Ark® Software Ltd.
PAS Install Lab Guide

Important Notice
Conditions and Restrictions
This Guide is delivered subject to the following conditions and restrictions:
This guide contains proprietary information belonging to Cyber-Ark® Software Ltd. Such information is supplied solely for
the purpose of assisting explicitly and properly authorized users of the Cyber-Ark Vault.
No part of its contents may be used for any other purpose, disclosed to any person or firm or reproduced by any means,
electronic and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
The software described in this document is furnished under a license. The software may be used or copied only in
accordance with the terms of that agreement.
The text and graphics are for the purpose of illustration and reference only. The specifications on which they are based are
subject to change without notice.
Information in this document is subject to change without notice. Corporate and individual names and data used in
examples herein are fictitious unless otherwise noted.
Third party components used in the Cyber-Ark Vault may be subject to terms and conditions listed on www.cyber-
ark.com/privateark/acknowledgement.htm.
Acknowledgements
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young ([email protected]).
This product includes software written by Tim Hudson ([email protected]).
This product includes software written by Ian F. Darwin.
This product includes software developed by the ICU Project (http://site.icu-project.org/) Copyright © 1995-2009
International Business Machines Corporation and other. All rights reserved.
This product includes software developed by the Python Software Foundation. Copyright © 2001-2010 Python Software
Foundation; All Rights Reserved.
This product includes software developed by Infrae. Copyright (c) 2004 Infrae. All rights reserved.
This product includes software developed by Michael Foord. Copyright (c) 2003-2010, Michael Foord. All rights reserved.
Copyright
© 2000-2012 Cyber-Ark Software, Ltd. All rights reserved. US Patent No 6,356,941.
Cyber-Ark®, the Cyber-Ark logo, the Cyber-Ark slogan, PrivateArk™, Network Vault®, Password Vault®, Inter-Business Vault®,
Vaulting Technology®, Geographical Security™ and Visual Security™ are trademarks of Cyber-Ark Software Ltd.
All other product names mentioned herein are trademarks of their respective owners.
Information in this document is subject to change without notice.

CyberArk University Exercise Guide Page 3

Introduction
Using Skytap
Before beginning exercises, here are a few tips to help you navigate the labs more effectively.
• Click directly on the screen icon to access the virtual machine directly in your browser
If you are using any keyboard other than a standard US, then it is strongly recommended that you use
an RDP connection rather than the HTML 5 client directly in the browser. When using RDP, all you
need to do is set the keyboard language in Windows and everything should work fine.
Go to the section for International Users for instructions on changing the keyboard.

1. Click the large monitor icon to connect with the HTML 5 client.

2. If HTML does not work, try direct RDP. Inform your instructor if you do this, because some actions
will not work as shown in the book.

3. Use the Ctrl-Alt-Del button on the tool bar to send a Ctrl-Alt-Del to the machine.

CyberArk University Exercise Guide Page 4

4. The clipboard icon will allow you to copy and paste text between your computer and your lab
machine.

5. The full screen icon will resize your lab machine to match your computer’s screen settings to avoid
scrolling.

CyberArk University Exercise Guide Page 5

6. You may need to adjust your bandwidth setting on slower connections.

International Users
By default, the lab machines are configured to us a US English keyboard layout. If you use a machine
from a country other than the US, you may experience odd behavior from your lab machines. The
solution is to install the keyboard layout for your keyboard on our lab machines. Follow the process
below to find and configure the correct keyboard layout for your keyboard.

7. From the Start Menu launch “Add a language.”

CyberArk University Exercise Guide Page 6

8. Click “Add a language.”

9. Select your language. Click Open.

10. Select your specific locality or dialect. Click Add.

CyberArk University Exercise Guide Page 7

11. With the option English (United States) selected, click the Move down button. This will make your
language the default. Don’t remove US English altogether as your instructor may need it if he/she
connects to your machine.

Note: If you use an alternate keyboard layout (e.g. AZERTY, Dvorak) you can click options next
to your language to install that. Otherwise, close the Language window.

CyberArk University Exercise Guide Page 8

12. In the system tray, click ENG, then choose your keyboard layout. You may switch back and forth
between keyboard layouts. Your instructor may need to switch back to ENG to help you with
exercises, occasionally.

CyberArk University Exercise Guide Page 9

Scenario
CyberArk Demo Inc. (“the Customer”) has just purchased CyberArk’s Privileged Account Security (PAS).
This document details the Customer’s specific requirements regarding the use of PAS in their
environment:
Network Server Name IP Address
Windows Domain Controller: DC01 10.0.0.2
cyber-ark-demo.local
Unix / Linux CentOS-target 10.0.0.20
RADIUS 10.0.0.6
CyberArk PAS Vault01A 10.0.10.1
Comp01A (PVWA-CPM) 10.0.20.1
Comp01B (PVWA-CPM) 10.0.21.1
Comp01C (PSM) 10.0.22.1
Comp01D (PSM) 10.0.23.1
DR 10.0.14.1
PSMP 10.0.1.16

You are required to install and implement the PAS solution to support the customer’s specific
requirements. You will be given access to CyberArk’s documentation in order to complete your task.
You may use the detailed installation guide provided by the trainer or the formal CyberArk installation
guide. The Installation guide provided by the trainer should be used in the training environment only.
For production deployments use CyberArk published documentation for the version you are installing.
The default password for all privileged accounts and servers in the customer’s network is Cyberark1

CyberArk University Exercise Guide Page 10

EPV Instructions
You have been assigned the responsibility to assist a customer to install and configure the CyberArk
Privileged Access Security suite. The Customer has purchased CyberArk’s EPV solution to protect and
manage their privileged accounts. End users are required to authenticate to CyberArk using two factor
authentication.
In the following sections you will be required to:
1. Install a standalone Vault
2. Install 2 CPM Servers (one for managing Windows accounts and one for managing Unix and Oracle)
3. Install 2 PVWA Servers (Load Balanced, and configured for automatic failover to the DR vault)
4. Install 2 PSM Servers in a Load Balanced configuration
5. Install 1 PSMP Server
6. Install the Disaster Recovery and Vault Backup components
7. Integrate CyberArk with the Customer’s LDAP, SMTP and SIEM solutions
8. Implement 2 Factor Authentication
9. Test the PAS EPV implementation. Add test accounts on the following target systems; Windows Domain,
Windows Server, Linux and Oracle and execute password management and PSM operations.

CyberArk University Exercise Guide Page 11

Vault Installation
This exercise provides detailed instructions on installing the CyberArk Digital Vault server and client
software and is broken down into three sections:

• Before Installation

• Vault Server Installation

• PrivateArk Client Installation

Before Installation

Objective: Preparation. It is important to copy all CyberArk software, License.xml and any other
files needed to the Vault server prior to EPV installation and hardening.
Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab before
proceeding (with the exception of the DR VM).

1. Sign in to the Vault01A server as Administrator.

Note: A PowerShell script will launch automatically. Allow the script to complete and ignore
any errors.

2. Open File Explorer and navigate to the shared resource folder, “Z:\”. If the Z: drive is not mapped,
map Z: to “\\dc01\shared”.

a. Navigate to “Z:\CyberArk PAS Solution\v11.2\”. Copy the “\Vault Install Files” and folder
“License and Operator Keys” to “C:\CyberArkInstallationFiles”.

b. Do not copy any other folders or files.

Objective: A stand-alone Vault server only requires TCP/IPv4 for network communication. In
preparation to install the Vault server software, we will first remove all NIC protocols,
clients and services not required for Vault functionality

3. Right click the Network icon in the system tray and select Open Network and Sharing Center.

CyberArk University Exercise Guide Page 12

4. Click Change adapter settings.

5. Right click on the Public Network Adapter and choose Properties.

6. De-select the check box for Internet Protocol Version 6 (TCP/IPv6).

7. Select Internet Protocol Version 4 (TCP/IPv4) and select Properties.
a. Ensure the static IP address (10.0.10.1), Subnet mask (255.255.0.0) and Default gateway
(10.0.255.254) are defined.
b. Remove any DNS server addresses defined and select the Advanced... button.
c. In the DNS tab, deselect “Register this connections addresses in DNS”.
d. In the WINS tab, deselect “Enable LMHOSTS lookup”.
e. Select OK twice to return to the Public Properties dialog.
8. Select the “Link-Layer Topology Discovery Responder” and press the Uninstall button.

CyberArk University Exercise Guide Page 13

9. Press Yes to confirm.

10. Uninstall all the remaining items, except for Internet Protocol Version 4 (TCP/IPv4) and Internet
Protocol Version 6 (TCP/IPv6). IPv6 must be deselected.

11. Restart the Vault01A server.

Vault Server Installation

Objective: This exercise provides detailed, step-by-step instructions on installing the CyberArk
Digital Vault server and Private Ark Client software. On the lab server, the files copied
from the shared drive in the pre-requisite steps are required to complete the
installation.

1. Sign in to the Vault server as Administrator. Using File Explorer, navigate to

“C:\CyberArkInstallationFiles\Vault Install Files\Server”. Right click on setup.exe and choose “Run
as Administrator”.

a. Select “Run anyway” at the Windows SmartScreen warning, if applicable.

CyberArk University Exercise Guide Page 14

2. Accept the default options on the next three windows, including your company name (e.g.
CyberArk) on the Customer Information page.

CyberArk University Exercise Guide Page 15

3. Select the Standalone Vault Installation option to install the Vault as a stand-alone server.

1. .Press Next to accept the default installation location and Next again to accept the default Safes
location.

CyberArk University Exercise Guide Page 16

2. Select Browse to select a custom license file path.

3. Click OK and then Cancel on the Insert disc pop-up to browse to the correct location.

Note: Because the software is configured to look for the license file on the DVD drive by
default, you will probably receive an error message regarding the D: drive.

CyberArk University Exercise Guide Page 17

4. In the Choose folder pop-up, browse to “C:\CyberArkInstallationFiles\License and Operator

Keys\License”, press OK and then press Next.

5. The same procedure is required for the Operator CD. Press Browse to select a custom Operator
CD path.

6. You will receive the same error message regarding the D: drive. Click OK and then Cancel on the
Insert disc pop-up to browse to the correct location.

CyberArk University Exercise Guide Page 18

7. Browse to the “C:\CyberArkInstallationFiles\License and Operator Keys\Operator CD” directory

and click OK and then and press Next.

Note: These files must be accessible to the PrivateArk Server service in order to start the
Vault. A Hardware Security Module (HSM) is the recommended method for key
storage. If these files are to be stored on the file system, it is highly recommended that
the keys and encrypted files be stored on separate media. If stored on attached
storage, the Operator Keys should be located on an NTFS drive.

Note: If the Vault is installed on a virtual machine, storing Operator CD files on the file
system is not recommended due to the lack of physical security.

CyberArk University Exercise Guide Page 19

8. Enter the IP address(es) of your Component servers in the Remote Terminal IP Address field –
10.0.20.1,10.0.21.1 and Cyberark1 – in the password fields and press Next.

9. We will not be using Distributed Vaults with PSM in this lab. Select Next without selecting “Install
the Distributed Vaults internal communication platform”.

CyberArk University Exercise Guide Page 20

10. Press Next to allow CyberArk to harden the CyberArk Digital Vault machine.

11. Press Next to accept the default Program Folder.

12. The Performing Vault Server Machine Hardening window will appear. This may take a few
minutes.

CyberArk University Exercise Guide Page 21

Note: In the SkyTap environment, you may receive a message that the hardening failed. If so,
press the Retry button. In training, a failure is usually caused by a timeout in stopping
services because we are using virtual machines with limited resources.

13. Set passwords for the Master and Administrator; enter Cyberark1 in all the password fields and
press Next.

Note: We will use the password ‘Cyberark1’ as a default password. It is not recommended
that you do this in a production environment.

CyberArk University Exercise Guide Page 22

14. Choose “No, I will restart my computer later” and press Finish.

CyberArk University Exercise Guide Page 23

PrivateArk Client Installation

Next, we will install the PrivateArk Client on the Vault server.

1. In File Explorer go to “C:\CyberArkInstallationFiles\Vault Install Files\Client”. Right click setup.exe

and choose “Run as administrator”.

a. If the message “Windows SmartScreen can’t be reached right now” appears, click “Run
anyway”.

2. Accept the default options in each of the next six windows. If the User Information window is
blank, enter Name: CyberArk and Company: CyberArk.

CyberArk University Exercise Guide Page 24

3. Press OK to define your first connection to the PrivateArk Vault. This will create a shortcut to
your Vault within the PrivateArk Client.

4. Enter the following information:

Server Name Vault

Server Address 10.0.10.1
Default User Name administrator or leave blank (leaving blank means the client will
remember the last logged on user)

CyberArk University Exercise Guide Page 25

5. Press OK.

6. Press OK to acknowledge the proxy server message.

7. Select Yes, I want to restart my computer now and press Finish.

CyberArk University Exercise Guide Page 26

Post Vault Installation

1. Login to the Vault01A server and double-click the “PrivateArk Server” shortcut on the desktop to
open the Server Central Administration utility. Confirm there are no errors, and “ITAFW001I
Firewall is open for client communication” message appears.
2. Launch the PrivateArk Client from the desktop. Double click the Vault shortcut and login as
Administrator/Cyberark1.
a. Ensure that the 3 default safes exist, System, VaultInternal and Notification Engine. If any of
these safes do not exist, stop and inform the instructor.
b. Logout and close the PrivateArk Client.
3. Open Windows Services and check that the following services have been installed and started.
a. Cyber-Ark Event Notification Engine1
b. Cyber-Ark Hardened Windows Firewall
c. CyberArk Logic Container
d. PrivateArk Database
e. PrivateArk Remote Control Agent
f. PrivateArk Server

Note: The CyberArk Enterprise Password Vault is now installed. We are ready to begin
installing the CyberArk components: beginning with the Password Vault Web Access –
or PVWA..

1
The Cyber-Ark Event Notification Engine service is configured to Automatic (Delayed Start). It may take a few
minutes to start.
CyberArk University Exercise Guide Page 27
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and mechanical,
without the express prior written permission of Cyber-Ark® Software Ltd.
PAS Install Lab Guide

Install Password Vault Web Access

Objective: Install the PVWA on both Component servers, Comp01A and Comp01B

In this chapter, you will perform the tasks in the following order:
• Install IIS Pre-requisite Software

Install IIS Pre-requisite Software using Automatic prerequisites script

Note: CyberArk provides a script to automate PVWA prerequisites. These scripts install the
Web Server role and features, creates a self-signed web certificate and configures the
HTTPS binding. Sign in to Comp01A as Administrator.

Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab before
proceeding (with the exception of the DR VM).

1. Open File Explorer and navigate to the shared resource folder, “Z:\CyberArk PAS Solution\v11.2\”.
If Z: is not mapped, map a drive to “\\dc01\shared”.

a. Copy “Password Vault Web Access-Rls-v11.2.zip” and “Client-Rls-v11.2.zip” files to

“C:\CyberArkInstallationFiles”. Extract the zip archives on the Component Server. Do not copy
any other files.

2. Navigate to “C:\CyberArkInstallationFiles\Password Vault Web Access-Rls-

v11.2\InstallationAutomation”.

3. Open Windows PowerShell as an Administrator in the folder specified in step 2 and execute the
following PowerShell commands. Select Yes when prompted.

Get-ExecutionPolicy (If the result is not “Restricted”, run “Set-

ExecutionPolicy Restricted”)

Set-ExecutionPolicy Bypass -Scope Process

.\PVWA_Prerequisites.ps1

4. Verify the script completed successfully by reviewing the Script.log found in the
“C:\CyberArkInstallationFiles\Password Vault Web Access\Installation Automation\{date_time}”

5. Open the IIS Manager console and verify that IIS was installed, that a self-signed certificate was
generated and that incoming HTTPs requests are using the certificate.

CyberArk University Exercise Guide Page 28

a. Navigate to the “Default Web Site”, select Edit Site, Bindings. Edit the HTTPS Binding and
confirm the self-signed SSL certificate is assigned.

Note: The PVWA_Prerequisties script creates a self-signed certificate and uses this certificate
for binding HTTPs incoming requests. In a production environment, you must update
the HTTPS binding with a certificate provided by a Trusted Certification Authority.

Note: For manual instructions on the deployment of PVWA pre-requisites please refer to
https://docs.cyberark.com.

Import Trusted Certificates for WebHosting

Note: A Trusted Web Certificate should be provided by the customer and copied to each
server hosting the PVWA. In the following procedure you will replace the self-signed
certificate created by the Prerequisites script with the Trusted Web Certificate. A
certificate has been provided by the Certificate Administrator for both PVWA Servers;
Comp01a and Comp01b.

1. Sign in to PVWA Server Comp01a as Administrator.

2. Launch Internet Information Services (IIS) Manager from the Start Menu > Administrative Tools.
Under Connections, select the Host name then double click “Server Certificates, as shown in the
graphic.

3. Select “Import…” from the Actions menu and then the ellipsis to search for the Certificate file
(.pfx).

CyberArk University Exercise Guide Page 29

4. Navigate to c:\CyberArkInstallationFiles and select the comp01aWebCert.pfx file and click Open.
Enter the password “Cyberark1”, select Certificate Store: Web Hosting and Allow this certificate
to be exported.

5. Under Connections, expand Sites and select Default Web Site. In the Actions column, select
Bindings…

6. Double click the https binding. Select the comp01aWebCert that you imported in the previous
steps. Click OK and Close.

Require HTTP over SSL (PVWA)

Objective: In this section we will configure IIS to require connections over SSL. This is also a
prerequisite for later authentication sections.

1. Begin by launching IIS Manager (INETMGR) from the Start Menu > Administrative Tools on your
Component server.
2. Go to Default Web Site and double click SSL Settings (golden padlock). Select Require SSL and
click Apply in the Actions menu.

CyberArk University Exercise Guide Page 30

3. Validate the IIS installation. This is an important step to confirm that the IIS server is functioning
correctly prior to the PVWA software installation. Open Internet Explorer and attempt to connect
to the default web site on the component server with http and https URL’s. What is the expected
behavior of each?

a. “https://comp01A.cyber-ark-demo.local/”

Install PVWA

Objective: Install the Password Vault Web Access component on Comp01A.

Note: It is recommended to gracefully restart each component server prior to running the
Installation Automation PowerShell scripts.

1. Using File Explorer, navigate to folder “C:\CyberArkInstallationFiles\Password Vault Web Access-

Rls-v11.2\”.

2. Right click setup.exe and “run as Administrator”.

3. If prompted, select to install the Microsoft Visual C++ 2013 Redistributable Package (x86).

4. Press the Next button, then click Yes to agree to the license agreement.

5. Enter a User name and Company name, press Next.

CyberArk University Exercise Guide Page 31

6. Press Next to accept the default Configuration files destination and Web application destination.

7. Press Next to accept both Setup Type options.

8. On the Web application details window, select CyberArk and LDAP as the Authentication Type.
Choose None in Default Authentication and Default Mobile Authentication fields and press Next to
continue.

CyberArk University Exercise Guide Page 32

9. Enter the Vault address (e.g. 10.0.10.1) and press Next.

10. Enter UserName = Administrator and Password = Cyberark1 and select Next. On the InstallShield
Wizard Complete window, click the Finish button

CyberArk University Exercise Guide Page 33

11. Post PVWA installation:

a. Check the PVWAInstall.log in directory C:\Users\Administrator\AppData\Local\Temp\.

b. Open Chrome and confirm that the PVWA login page is displayed. This step validates that the
PasswordVault application is communicating with the PrivateArk Server. Use URL
https://comp01A.cyber-ark-demo.local/PasswordVault/v10/logon.

c. Login to the PVWA using CyberArk Authentication as Administrator. Validate tabs Policies,
Accounts, Applications, Reports and Administration display correctly.

d. Logout of the PVWA.

Hardening the CyberArk PVWA Servers

Hardening the PVWA server ensures that your PVWA server meets CyberArk’s security standards in 'In
Domain' deployments as well as in 'Out of Domain' deployments. Component hardening is a
combination of enforcing security policy (via GPO or INF) and Installation Automation Scripts, all
provided by CyberArk.

Note: Most of the PVWA hardening procedures can be accomplished with a PowerShell script
or each procedure can be followed manually. The following procedure instructs the
student how to harden using the scripted method. The document “Harden the
CyberArk CPM and PVWA Servers” provides detailed procedures for the manual
implementation.

1. Sign in to the Comp01A server as Administrator. Navigate to

C:\CyberArkInstallationFiles\Password Vault Web Access-Rls-v11.2\InstallationAutomation\

CyberArk University Exercise Guide Page 34

2. Open Windows PowerShell as an Administrator in the folder specified in step 1 and execute the
following PowerShell commands. Select Yes when prompted.

Get-ExecutionPolicy (If the result is not “Restricted”, run “Set-

ExecutionPolicy Restricted”)

Set-ExecutionPolicy Bypass -Scope Process

Note: “Set-ExecutionPolicy Restricted” should be the default Execution Policy.

“Set-ExecutionPolicy Bypass -Scope Process” sets the Execution Policy to Bypass for the
current PowerShell session and is reset to the prior setting when the current session
closes.
“Get-ExecutionPolicy” will display the current Execution Policy.

.\PVWA_Hardening.ps1

3. Wait until the script completes, then restart the server.

4. Sign in to the Comp01a server as Administrator and review the Script.log that was created in
“C:\CyberArkInstallationFiles\Password Vault Web Access\InstallationAutomation\timestamp”

CyberArk University Exercise Guide Page 35

5. Open the Windows Administrative Tools > Computer Management > Local Users and Groups >
Users. In the Properties for the PVWAReportsUser user, select Password never expires.

6. Open Windows Services and check the status of the “CyberArk Scheduled Tasks” Windows service.

a. If started, proceed to the next section, “General Configuration for all Deployments”.

b. If not started, follow these steps.

• Open Windows Event Viewer, System. Find Error EventID: 7041 with comment “Logon
failure: the user has not been granted the requested logon type at this computer”

• To resolve the issue, from the Start Menu choose Run and launch secpol.msc.

• Navigate to Local Security > User Rights Assignment. Find the parameter “Logon as a
Service” and add the local user PVWAReportsUser.

• Start the CyberArk Scheduled Tasks Service.

Note: To learn more about the actions taken during the hardening process of the PVWA, as
well as instructions for hardening the PVWA manually, please review the “Hardening
the CPM and PVWA Servers” document provided as a download from the Learning
Management System.

General Configuration for all Deployments

Open Harden the CyberArk CPM and PVWA Servers and complete the hardening procedure with the
following steps to remove unneeded IIS Application Pools.
IIS Hardening (PVWA Only)
1. Using Google Chrome, go toCyberArk Docs at https://docs.cyberark.com/Product-
Doc/OnlineHelp/Portal/Docs.html. Search on “IIS Hardening (PVWA Only)” and execute the
following listed procedures to harden Comp01A and Comp01B servers. Most, but not all these
procedures have been completed by the PowerShell hardening script. Restart the servers as needed.
a. Shares
i. This step is performed automatically using the PowerShell script.
b. Application Pool. Open IIS Configuration Manager. Under Connections, navigate to
Application Pools. Keep the following application pools only:
i. DefaultAppPool (Managed Pipeline Mode = Integrated)
ii. PasswordVaultWebAccess (Managed Pipeline Mode = Integrated)
c. Web Distributed Authoring and Versioning (WebDAV)

CyberArk University Exercise Guide Page 36

i. This step is performed automatically using the PowerShell script.

d. MIME Types (Recommend making a backup copy of applicationHost.config prior to changes)
i. This step is performed automatically using the PowerShell script.
e. SSL/TLS Settings
i. This step is performed automatically using the PowerShell script.

2. After each procedure, it is recommended to login to the PVWA and confirm the application
displays correctly before advancing to the next procedure. Select each tab (Policies, Accounts,
Administration, etc.) to confirm all pages display correctly before proceeding.

Configure IIS Redirection

Note: Next, we will configure an IIS response to a 403 error code, effectively redirecting HTTP
traffic to HTTPS (443). We will also prevent browser access to the default web site.

1. Open Internet Information Service (IIS) Manager

2. Navigate to the Default Web Site Home, select Error Pages and then double-click the 403 status
code.

3. Select Respond with a 302 redirect and type the full URL to the PVWA web site (e.g.
https://comp01A.cyber-ark-demo.local/PasswordVault/v10/logon/) then click OK.

CyberArk University Exercise Guide Page 37

4. Validate redirection. IIS will not redirect local requests. Run IISRESET from an Administrators
Command Window. Execute tests from the other component server. For example, test
redirection configured on Comp01A from Comp01B.

a. Attempt a connection to the Default Website using https (https://comp01A.cyber-ark-

demo.local/).

b. Attempt a connection to the PVWA using http (http://comp01A.cyber-ark-

demo.local/passwordvault/v10/logon).

c. The above tests should result in an HTTPS session to the PasswordVault login page. Login to
the PVWA as Administrator using CyberArk authentication. Select each tab (Policies, Accounts,
Administration, etc.) to confirm all pages display correctly before proceeding.

Install the PrivateArk Client on the Component server

Objective: In this section, you will repeat the steps for installing the PrivateArk Client, this time on
the Comp01A server.

1. Using File Explorer navigate to “C:\CyberArkInstallationFiles\Client-Rls-v11.2”. Right click on

setup.exe and run as Administrator.
2. Enter the Server Name and Server Address as shown.

CyberArk University Exercise Guide Page 38

Note: Repeat the “Install Password Vault Web Access” procedures beginning on page 28 to
install the PVWA on Comp01B
Ensure the following steps are completed on Comp01B
1. INSTALL IIS PRE-REQUISITE SOFTWARE USING AUTOMATIC PREREQUISITES SCRIPT
2. REQUIRE HTTP OVER SSL (PVWA)
3. INSTALL PVWA
4. HARDENING THE CYBERARK CPM AND PVWA SERVERS
5. CONFIGURE IIS REDIRECTION
6. PRIVATEARK CLIENT INSTALLATION

Test PVWA Load Balancing

Note: Your CyberArk lab is using a DNS Round Robin configuration to simulate an external
hardware Load Balancer. The IP address for each PVWA server (10.0.20.1,10.0.21.1)
has been added to the pool of servers. The URL is “https://pvwa.cyber-ark-
demo.local/PasswordVault” or select the shortcut on the Chrome Bookmarks Bar, CAU
LAB Links > PVWA.

CyberArk University Exercise Guide Page 39

Install CPM (distributed)

Install 1st CPM

Objective: In this section you will install and perform hardening tasks on the CPM
server.

Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab
before proceeding (with the exception of the DR VM).

1. Login to your first CPM server, Comp01A as administrator.

2. Open File Explorer and navigate to the shared resource folder, “Z:\CyberArk PAS Solution\v11.2\”.
If Z: is not mapped, map a drive to “\\dc01\shared”.

3. Copy “Central Policy Manager-Rls-v11.2.zip” to “C:\CyberArkInstallationFiles”. Extract the zip

archives on the Component Server. Do not copy any other files.

4. Using File Explorer, navigate to “C:\CyberArkInstallationFiles\Central Policy Manager-Rls-

v11.2\InstallationAutomation”.

5. Open Windows PowerShell as an Administrator in the folder specified in step 5 and execute the
following PowerShell commands.

Get-ExecutionPolicy (If the result is not “Restricted”, run “Set-

ExecutionPolicy Restricted”)

Set-ExecutionPolicy Bypass -Scope Process

.\CPM_Preinstallation.ps1

6. Verify the script completed successfully by reviewing the Script.log found in the
“C:\CyberArkInstallationFiles\Central Policy Manager\Installation Automation\{date_time}

7. In File Explorer open the extracted \Central Policy Manager folder. Right click setup.exe and
choose “Run as Administrator”.

8. Select Install to install the required Windows redistributable package. This may take a few
minutes.

9. Accept the default options on the next four windows, including your company name (e.g.
CyberArk) on the Customer Information page.

CyberArk University Exercise Guide Page 40

10. Accept the default option, “No Policy Manager was previously installed” and press Next.

CyberArk University Exercise Guide Page 41

Note: This question relates to installing CPM software using an existing licensed CPM user or
installing an additional CPM that will consume a new license.

11. In the following 2 prompts, enter the IP Address of your Vault (i.e., 10.0.10.1) and enter
Administrator as the Username and Cyberark1 for the Password. Then press Next.

12. You may receive the following error; “CPMEM038E Error while trying to import platforms…”
Select Next to continue.

13. Press the Finish button to complete the installation.

CyberArk University Exercise Guide Page 42

14. Immediately following the CPM installation, review the CPMInstall.log file created in
“C:\Users\Administrator\AppData\Local\Temp\”. To access this directory, in the File Explorer
address window, type %appdata%, then in the address bar, change from Roaming to Local and
navigate to the \Temp directory. This file contains a list of all the activities performed when the
CPM environment in the Vault is created during the installation procedure.

Post CPM Installation

Review the following.

1. Navigate to “C:\Program Files (x86)\CyberArk\Password Manager\Logs”. Check the pm.log and

pm_error.log file for errors.
2. Confirm that the CPM services are installed and running.
a. CyberArk Password Manager Service.
b. CyberArk Central Policy Manager Scanner.

Install 2nd CPM

Objective: You will now repeat the steps in Install 1st CPM, but pay very careful attention to the
instructions. There are subtle differences in the installation of the 2nd CPM component
server on Comp01B.

1. Log into your Comp01B server as Administrator.

2. Open File Explorer and navigate to the shared resource folder, “Z:\CyberArk PAS Solution\v11.2\”.
If Z: is not mapped, map a drive to “\\dc01\shared”.

3. Copy “Central Policy Manager-Rls-v11.2.zip” to C:\CyberArkInstallationFiles. Extract the zip

archives on the Component Server. Do not copy any other files.

4. Using File Explorer, navigate to “C:\CyberArkInstallationFiles\Central Policy Manager-Rls-

v11.2\InstallationAutomation”.

5. Open Windows PowerShell as an Administrator in the folder specified in step 4 and execute the
following PowerShell commands.

Get-ExecutionPolicy (If the result is not “Restricted”, run “Set-

ExecutionPolicy Restricted”)

Set-ExecutionPolicy Bypass -Scope Process

CyberArk University Exercise Guide Page 43

.\CPM_Preinstallation.ps1

6. Verify the script completed successfully by reviewing the Script.log found in the
“C:\CyberArkInstallationFiles\Central Policy Manager\Installation Automation\{date_time}

7. In File Explorer open the extracted folder “C:\CyberArkInstallationFiles\Central Policy Manager-

Rls-v11.2\”. Right click setup.exe and choose “Run as administrator”.

8. Specify Username. The installer will ask you to specify a username for this CPM, since another
CPM has already been installed on this Vault. Enter CPM_UNIX in the New Username field, then
complete the installation

Post CPM Installation

Review the following.

1. Navigate to “C:\Program Files (x86)\CyberArk\Password Manager\Logs”. Check the pm.log and

pm_error.log file for errors.

2. Confirm that the CPM services are installed and running.

a. CyberArk Password Manager Service.
b. CyberArk Central Policy Manager Scanner.

CyberArk University Exercise Guide Page 44

Rename 1st CPM

Objective: In this section you will rename the CPM installed on Comp01A from PasswordManager
to CPM_WIN, to comply with the Customer’s naming standard.

1. Log on to the Comp01A Server, and stop both CPM Services; CyberArk Password Manager, and
CyberArk Central Policy Manager Scanner. This is a critical first step that you must confirm.
Services must be completely stopped before proceeding.

2. Launch the PrivateArk Client and log in as Administrator. Navigate to menu; Tools >
Administrative Tools > Users and Groups and select the PasswordManager user. Press F2 to
rename to CPM_WIN.

3. Click Update and reset the user’s password to Cyberark1 on the Authentication tab.

CyberArk University Exercise Guide Page 45

4. Click OK then Close the Users and Groups dialogue box

5. Rename the following safes in the PrivateArk Client (DO NOT rename safes
PasswordManager_Pending, PasswordManagerTemp or PasswordManagerShared):
Old Name New Name
PasswordManager CPM_WIN
PasswordManager_ADInternal CPM_WIN_ADInternal
PasswordManager_info CPM_WIN_Info
PasswordManager_workspace CPM_WIN_workspace

Note: Open (SHIFT+ENTER) each safe individually and then press F2 on the Safe Icon to
rename. This is easier if you switch from Icon view to Details view.

6. Logoff the PrivateArk Client.

7. Open a command prompt as Administrator and navigate to C:\Program Files

(x86)\CyberArk\Password Manager\Vault. Run the following command:

CreateCredFile.exe user.ini

8. Enter the Vault Username and Password for the new CPM user at the prompts. Press Enter to
accept the default for the remaining prompts.

Username: CPM_WIN
Password: Cyberark1

CyberArk University Exercise Guide Page 46

9. Start the CPM Services. Check the pm.log and pm_error.log files to verify they start successfully
and without errors. The pm.log file should begin with log entry “CACPM117I Starting Password
Manager 10.X.0 (10.X.X.X)”, followed by a listing of each active platform, e.g., “CACPM670I
Effective policy updated. ID: 2, Policy ID: 2, Platform Name: Unix via SSH"

Update the name of the CPM in the PVWA.

1. Sign in to the PVWA as Administrator.
2. Navigate to Administration > Configuration Options > Component Settings > Options > CPM
Names.
3. Select PasswordManager and update the Name field to CPM_WIN. Click Apply and Ok to save.
Harden the CPM server

Objective: Hardening the CPM server ensures that your CPM server meets CyberArk’s security
standards for 'In Domain' deployments as well as in 'Out of Domain' deployments. CPM
server hardening is automated via a combination of an applied Group Policy for in-
domain deployments and PowerShell scripts. Both are necessary. CPM and PVWA
GPO’s are already applied to Comp01A and Comp01B servers in this lab.

CyberArk University Exercise Guide Page 47

1. Navigate to “C:\CyberArkInstallationFiles\Central Policy Manager-Rls-

v11.2\InstallationAutomation”.

2. Open Windows PowerShell as an Administrator in the folder specified in step 1 and execute the
following PowerShell commands.

Get-ExecutionPolicy (If the result is not “Restricted”, run “Set-

ExecutionPolicy Restricted”)

Set-ExecutionPolicy Bypass -Scope Process

.\CPM_Hardening.ps1

3. Wait until the script completes.

a. Logs detailing the actions taken by the PS script can be found in a subfolder of
“…\InstallationAutomation\{date-time}”.
• Errors related to failure to set permissions is normal and can be ignored.
4. Restart the CPM server.
5. After the restart, sign into the CPM server as Administrator. Check the status of the “CyberArk
Password Manager” and “CyberArk Central Policy Manager Scanner” Windows services.
a. Note that the services are running under the credentials of the local user
PasswordManagerUser. If the services are started, proceed to step 6.

Note: If the services are not started, the CPM hardening script may not have been successful
in granting the local PasswordManagerUser, the “logon as a service” right. In this
Skytap lab a Group Policy is enforcing this right for the PasswordManagerUser however
in a production deployment the GPO may not yet be applied or the setting may not be
defined. The “logon as a service” right can be confirmed in the Script.log file, created
by the hardening script, located in the InstallationAutomation folder. Search Script.log
for the key word “SeServiceLogonRight”

b. To resolve the issue, from the Start Menu choose Run and launch secpol.msc.
c. Navigate to Local Security > User Rights Assignment. Find the parameter “Logon as a Service”
and add the local user PasswordManagerUser, then start both CPM Services.
d. Check the logs for errors.
6. Confirm that PMTerminal.exe and plink.exe(displayed in the graphic below as “Command line SSH,
Telnet and Rlogin client” are defined as exceptions to Data Execution Prevention.
7. At the Start Menu, Run command, type “sysdm.cpl”. Navigate to Advanced > Performance
Settings, Data Execution Prevention.

CyberArk University Exercise Guide Page 48

a. The CPMHardening.ps1 script attempts to add these exceptions automatically. If the

exceptions are not created, this is a clue that the CPM_Hardening.ps1 script was not run in an
Administrators: PowerShell Window. If hardening manually this step is required to support
terminal based CPM plugins.

8. Repeat section “Harden the CPM server” on the Comp01B server.

CyberArk University Exercise Guide Page 49

Integrations
LDAP Authentication (over SSL)

Objective: To configure the vault to use LDAP over SSL connections, you must import the
Certificate Authority’s root Certificate into the Windows Trusted Root Certificate Store
on the Vault Server. The following procedure will guide you through transferring the
certificate file from the component server, to the vault server where it can be
imported.

Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab before
proceeding (with the exception of the DR VM).

1. Sign in as Local Administrator on server Comp01A or Comp01B server. Open Internet Explorer
(required) and browse to https://dc01.cyber-ark-demo.local/certsrv.
a. Log into the web page as Administrator/Cyberark1.

2. Click on Download a CA certificate, certificate chain, or CRL.

CyberArk University Exercise Guide Page 50

3. Click Yes to allow this operation.

4. Click Download CA certificate.

5. Click Save to store the certificate in the Downloads folder.

6. Log into PrivateArk Client as Administrator.

7. Open and Enter the VaultInternal safe.
8. Click the Store menu option, or right click in the body of the safe, and select Store, Move File
to Safe. Navigate to the Downloads folder and select the file just downloaded, certnew.cer.

CyberArk University Exercise Guide Page 51

9. Logoff from PrivateArk Client on the Components Server.

10. Sign into the Vault server as Administrator. Log into PrivateArk Client.
11. Open and Step into the VaultInternal safe. Right click certnew.cer and click Retrieve and Save
As…

12. Save the file to the Desktop.

13. Right click the Start Menu and select Command Prompt (Admin). Change the current directory
to “c:\Users\Administrator\Desktop” and enter the following command.

Note: Confirm the file name to be accurate.

certutil –addstore “Root” certnew.cer

CyberArk University Exercise Guide Page 52

14. Remain at the Administrator Command Prompt, and launch Notepad.

15. In Notepad, open C:\Windows\System32\drivers\etc\hosts. Hint: it may be hidden.

16. Add the following line to the end of the file, and save it.
10.0.0.2 dc01.cyber-ark-demo.local
17. Sign off the Vault Server and sign in to the Comp01A or B Server.
18. Sign in to the PVWA as Administrator using CyberArk authentication, and display the User
Provisioning > LDAP Integration page.
19. Select New Domain to display the LDAP Integration Wizard.

CyberArk University Exercise Guide Page 53

20. Proceed through the LDAP Integration Wizard using the following parameters.
Domain Name: cyber-ark-demo.local
Connect via: Secure connection (SSL)
Address: dc01.cyber-ark-demo.local
Bind user name: [email protected]
Bind user Password: Cyberark1
Domain Base Context: dc=cyber-ark-demo,dc=local

21. Select the domain controller listed; dc01.cyber-ark-demo.local and select Connect.

Note: In a production implementation it is recommended to configure 2 Domain

Controllers at the company’s primary site, and 2 additional Domain Controllers at
the company’s Disaster Recovery site.

22. In Create directory mapping option, click Define map to the right of each user group name to
map, then specify the name of the user or group.
a. Select the appropriate group for each field.
b. When complete, click Next.
Define Vault Admin Group: CyberArk Vault Admins
Define Safe Managers Group: CyberArk Safe Managers
Define Auditors Group: CyberArk Auditors
Define Users Group: CyberArk Users

23. Review the summary and select Save.

CyberArk University Exercise Guide Page 54

24. Test your LDAP/S integration by signing in to the PVWA as vaultadmin01/Cyberark1 using LDAP
authentication.

CyberArk University Exercise Guide Page 55

SMTP Integration

Objective: For this section, we are going to login to the PVWA as the vaultadmin01 (an LDAP user)
and configure the SMTP integration. In the previous section, testing LDAP Integration
by logging in as vaultadmin01 creates a user profile in the Vault for the vaultadmin01
user, which has an email address associated with it, allowing a test email to be sent to
vaultadmin01.

Note: Prior to setting up the SMTP integration, verify that the CyberArk Event Notification
Engine (ENE) service is running on the Vault. This service may not start if the Vault VM
has been suspended, then reanimated.

1. On Comp01A or B Server, launch the PVWA, select LDAP as the Authentication method and login
as vaultadmin01.

2. Go to ADMINISTRATION > Configuration Options and click the Setup Wizard.

3. Select Email Notifications and click Next.

CyberArk University Exercise Guide Page 56

4. Enter the following:

SMTP address: 10.0.0.2

Sender Email: [email protected]
Sender Display VaultAdmin01
Name:
SMTP Port: 25
PVWA URL: <Accept the default>
5. Press Finish.
6. Press Yes to send a test e-mail.

7. Browse to the email client, http://webmail.cyber-ark-demo.local/Mondo/lang/sys/Login.aspx, or

select the Webmail link provided in the “CAU Lab Links” bookmark bar.
a. Login as vaultadmin01 / Cyberark1.
b. Ensure that you receive the email from the ENE Wizard.

8. Close the Webmail application.

Troubleshooting: If you need to run the wizard again, you can change the IP address of the
SMTP server to 1.1.1.1 and save, as shown in the graphic below. Also
ensure that the Event Notification Engine service is running on the Vault
Server.

CyberArk University Exercise Guide Page 57

Note: CyberArk’s Digital Vault supports authenticated and encrypted email notifications. For
more information, search docs.cyberark.com for “Authenticated and encrypted email
notifications”

CyberArk University Exercise Guide Page 58

SIEM Integration

Note: For the first part of this exercise we will login to the Vault server to prepare the vault to
communicate with the SIEM. This section will demonstrate how to forward audit
records to a SIEM server, such as Arcsight or enVision.

Note: Ensure all Virtual Machines are running!

Setting up SIEM Integration

Note: The Vault supports encrypted protocols to the SIEM. For more information, search the
v11.2 Privileged Access Security Implementation Guide for “Security Information and
Event Management Applications”.

1. Login to the Vault server as Administrator / Cyberark1.

2. Open Windows File Explorer and navigate to:
C:\Program Files(x86)\PrivateArk\Server\Syslog.
3. Make a copy of the file Arcsight.sample.xsl and rename to ArcsightProd.xsl.

4. Navigate to C:\Program Files(x86)\PrivateArk\Server\Conf.

a. Edit the DBPARM.sample.ini file. Copy the entire [SYSLOG] section.
b. Edit the dbparm.ini file. Paste the contents of the clipboard to the bottom of the file,
overwriting the existing [SYSLOG] section.
c. Edit the [SYSLOG] section as shown below. Be sure to remove the comment “*” from the
beginning of each line.

CyberArk University Exercise Guide Page 59

Note: The settings above will forward all syslog messages to the SIEM server. See the PAS
Implementation Guide for instructions on filtering these messages if required.

5. Save and exit the file.

6. Restart the PrivateArk Server service to read the changes made to dbparm.ini into memory. It is
best to do this from the Windows Services applet.
7. Check the ITALOG.log to validate success and identify any possible syntax errors.

Note: For the next section of the procedure we will be using the Component Server.

1. Login to either Comp01A or Comp01B server.

2. Launch putty from the Windows Taskbar.

3. Enter 10.0.0.20 as the Host Name or IP address) and click Open to launch an SSH connection.

CyberArk University Exercise Guide Page 60

4. Click Yes to accept the server’s key, if prompted.

5. Login as root01 with the password Cyberark1. Accept any security warning you may receive.

6. Enter the following command.

cat /var/log/messages | grep VAULT01A

Note: If you want to view the running activity log of your Vault in this window, you can
modify the command and leave this window open with this command running while
you work on other exercises and view what activities are logged as you go. To do this,
replace “cat” with “tail -f”.

CyberArk University Exercise Guide Page 61

NTP Integration

Objective: Configure the Vault Servers system clock to synchronize with an internal (to the
company) time source.

Note: Time synchronization is critically important in CyberArk PAS architecture. In the

following exercise we will integrate the Vault Server with an external time source.

1. Sign into your Vault Server.

a. Using Windows File Explorer navigate to ‘C:\Program

Files(x86)\PrivateArk\Server\Conf’ and edit the dbparm.ini file.

2. Add the following lines to the end of the file. This will create inbound and outbound firewall rules
that will allow the vault to communicate to the NTP server.

3. To commit the changes made to the DBParm.ini file, restart the PrivateArk Server service.

4. Next we must enable the Windows Time service. Open Windows Services applet from the Taskbar

5. Double click “Windows Time” to display the service properties.

CyberArk University Exercise Guide Page 62
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and mechanical,
without the express prior written permission of Cyber-Ark® Software Ltd.
PAS Install Lab Guide

6. Update the Startup type to Automatic (Delayed Start) and click OK.

7. Start the Windows Time service.

Next, we need to set a special time skew in the registry that will prevent large changes to the system
time all at once. The special time skew will force the NTP service to change every 30 minutes for the
first 3 checks and then every 8 hours. This will prevent triggering anti-tampering protections in the
vault that could be activated by creating new audit entries that occur before existing audit entries.

8. Open regedit and browse to HKLM\System\CurrentControlSet\Services\W32Time\Parameters.

9. Add a new DWORD and name it “Period”.

a. Double click it and change the Base to decimal and make the Value data “65532”.

CyberArk University Exercise Guide Page 63

b. Close the Registry Editor.

10. Change the system time from the Windows Task Bar, setting the clock back 5 minutes.

11. Open an Administrative Command prompt.

12. Run the following command:

W32tm /config /manualpeerlist:10.0.0.2 /syncfromflags:manual /reliable:YES /update

13. The system clock should adjust and display the correct time and validate that you have completed
the procedure correctly.

CyberArk University Exercise Guide Page 64

Authentication Types

In this section you will configure multiple authentication methods. Detailed information on
authentication can be found in the Privileged Account Security Installation Guide in section
“Authenticating to the Privileged Account Security Solution”.

RADIUS Authentication

Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab before
proceeding (with the exception of the DR VM).

Objective: In this section you will enable RADIUS authentication for the customer, and test 2
Factor Authentication.

You have the option to download the application “Google Authenticator” on your
smartphone. If you do not wish to install the app on your phone you can use the
emergency scratch codes that will be provided to you when you register your user to
Google Authenticator.

CyberArk University Exercise Guide Page 65

Enroll User in RADIUS

1. First, launch PuTTY from the Comp01A or Comp01B server and use SSH to connect to the RADIUS
server (10.0.0.6) with vaultuser01/Cyberark1.

2. Next, run the following command as shown to register your vaultuser01 account:
google-authenticator
[vaultuser01@localhost ~]$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/vaultadmin01@loc
alhost.localdomain%3Fsecret%3D3CLLATZIIKJUZ737
Your new secret key is: 3CLLATZIIKJUZ737
Your verification code is 604700
Your emergency scratch codes are:
57556538
55330792
36858217
20147572
18965930

Do you want me to update your "/home/vaultuser01/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n) n

By default, tokens are good for 30 seconds and in order to compensate for

CyberArk University Exercise Guide Page 66

possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default

size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting (y/n) y

Note: If you do not want to install Google Authenticator on your smart phone, skip to step 4
and use the scratch codes provided during RADIUS registration in step 2.

3. Select the context menu, Copy All to Clipboard command, and paste into Notepad for future
reference.
4. Copy the URL displayed by Google Authenticator and paste it into your browser to register this
new user on your Google Authenticator App. This app will present you with a new OTP every x
seconds to be used to authenticate as this user.

5. Verify the radius integration works locally, use the following command. Use a scratch code for the
token, or generate a token from the Google Authenticator application on your phone. Verify you
receive Access-Accept in the reply:

radtest vaultuser01 <token> localhost 18120 testing123

CyberArk University Exercise Guide Page 67

Note: The vault01a server has been added as a RADIUS Client by the RADIUS Administrator. The
RADIUS Administrator has also chosen a RADIUS Secret and provided it to you, the Vault
Administrator. The RADIUS Secret enables the Vault to authenticate to the RADIUS server.
The RADIUS Secret provided is “Cyberark1” without the double quotes.

Configure the Vault Server to use RADIUS Authentication

1. Save the RADIUS Secret to an encrypted file name, radiussecret.dat. Login to the Vault01A server
and open a Command Prompt as Administrator.

2. To create the encrypted file containing the RADIUS Secret, change directories to “C:\Program Files
(x86)\PrivateArk\Server” and enter the following command using the CAVaultManager.exe utility.

CAVaultManager.exe SecureSecretFiles /SecretType RADIUS /Secret Cyberark1

/SecuredFileName radiussecret.dat

CyberArk University Exercise Guide Page 68

3. Remain at the Command Prompt. Change directories to \Conf. Type “notepad dbparm.ini” and
add the following two lines to the end of the file. Save the changes to the dbparm.ini and restart
the PrivateArk Server.

[RADIUS]
RadiusServersInfo=10.0.0.6;1812;vault01a;radiussecret.dat

4. Restart the PrivateArk Server service using services.msc, to read the changes made to dbparm.ini
into memory.

a. Check the ITALOG.LOG for possible errors.

Enable RADIUS Authentication Option

1. Login to the PVWA from Comp01A or Comp01B, as VaultAdmin01.

2. Navigate to Administration > Configuration Options > Options > Authentication Methods > radius.
Change the Enabled parameter to Yes.

a. You can also add a custom entry for “PasswordFieldLabel” to notify the user they need to
authenticate using the token.

CyberArk University Exercise Guide Page 69

3. Sign out of the PVWA.

4. Using the PrivateArk Client, logon to the Vault as Administrator.
5. Navigate to Tools > Administrative Tools > Directory Mapping.
6. Update Directory Map “Users_cyber-ark-demo.local”.
7. Edit the User Template, changing the authentication method to RADIUS Authentication. This will
cause all new vault users from the group defined in the Directory Map Rule to require RADIUS
authentication but will not affect users that have already authenticated.

8. Logoff the PrivateArk Client.

9. At the PVWA login, attempt to login as vaultuser01 using RADIUS authentication. Verify you can
login using a scratch code or the token provided by google-authenticator.

Note: Scratch codes can only be used once. Select a scratch code that was not previously
used to test enrollment with the radtest command.

CyberArk University Exercise Guide Page 70

PKI Authentication

In this lab, you will provision a User Digital Certificate from a Certificate Authority and save it in the
Windows Personal Certificate Store.

Enable PKI Authentication Option

1. Sign in to the Comp01A/B server as VaultAdmin01, then sign in to the PVWA also as
Vaultadmin01.

2. Navigate to Administration, Configuration Options, Component Settings, Options.

3. Navigate to Authentication Methods > pki. Select Enabled = Yes. Sign out of the PVWA.

CyberArk University Exercise Guide Page 71

Provision a User Certificate

1. Using Internet Explorer (not FF or Chrome) browse to https://dc01.cyber-ark-demo.local/CertSrv.

If prompted login as vaultadmin01/Cyberark1.

2. Click Request a certificate.

3. Click User Certificate.

CyberArk University Exercise Guide Page 72

4. Click yes to the warning, then click Submit.

5. Click yes to the warning, then click “Install this certificate”.

6. You should receive the following successful message.

Note: Additional PVWA configuration is required to support PKI authentication. The following
procedure describes how to configure PKI authentication in the new PVWA interface
V10 and above:

CyberArk University Exercise Guide Page 73

1. Using Notepad (not Notepad++), edit the IIS configuration file, applicationHost.config. By default,
the file is found here; C:\Windows\System32\Inetsrv\Config\applicationHost.config.
a. At the end of the file, ensure the following lines exist:
<location path="Default Web Site/PasswordVault/api/auth/pki/logon">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert,SslRequireCert" />
</security>
</system.webServer>
</location>
2. Pay special attention to the value of the “location path=” value. It must be changed:
a. From: “Default Web Site/PasswordVault/auth/pki/”
b. To: “Default Web Site/PasswordVault/api/auth/pki/logon”
3. Save the file. Open a Command as Administrator. Run IISRESET.
4. Repeat bullets 1-3 on all PVWA servers.

Login to PVWA using PKI

Note: Before signing in to the PVWA using PKI, delete the existing Transparent User
from the Vault.

1. Login to the PrivateArk Client as Administrator.

2. Navigate to Tools, Administrative Tools, Users and Groups. Locate and delete user,
VaultAdmin01.

3. Using Google Chrome browse to the PVWA at URL https://pvwa.cyber-ark-

demo.local/passwordvault/ and choose User Certificate authentication or PKI. This step must use
Chrome or IE. Firefox does not use the Windows Certificate Store.

4. A note on the behavior of PKI Authentication using IE on Windows.

a. If the URL is in the Intranet Zone and the certificate is valid, the user will be authenticated
successfully and passed directly to the accounts page.

CyberArk University Exercise Guide Page 74

b. If the URL is in the Trusted Sites Zone and the certificate is valid, the user will be prompted
to confirm the certificate.

Two Factor Authentication (2FA)

In CyberArk There are 2 groups of authentications.

• Windows, Oracle SSO, PKI (Client

PVWA (IIS) level or Primary authentication Certificate) RSA, SAML.

• CyberArk
Vault level or Secondary authentication
• LDAP, RADIUS

Challenge: Attempt to configure 2-Factor authentication combining PKI (IIS level) with LDAP
Authentication (Vault Level). Note: Reset the Users Directory Map authentication
requirement to LDAP and delete any users from the PrivateArk Client.

CyberArk University Exercise Guide Page 75

EPV Testing and Validation

Objective: In this section you will create several accounts to validate and test the functionality of
the installed components and the CPM’s ability to manage Privileged Accounts on the
Target Servers.

Sign in to the PVWA using VaultAdmin01.

Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab before
proceeding (with the exception of the DR VM).

CyberArk University Exercise Guide Page 76

Add Windows Domain Account

1. Create safe ‘Windows Accounts’.
a. Assigned to CPM : CPM_WIN
b. Add Safe Member: Search the Active Directory domain and add LDAP group
‘WindowsAdmins’ with default permissions
c. Optional: Search the Vault and add built-in group ‘Vault Admins’ with all Safe Roles
excluding ‘Use accounts’ and ‘Retrieve accounts’
2. Duplicate the Windows Domain Accounts platform and name it “CyberArk Lab Windows Domain
Accounts”.
3. Create Admin01 LDAP account
a. Store in safe ‘Windows Accounts’ and assign it to the platform created in step 2
b. Address equals “cyber-ark-demo.local”
c. Select the “Logon To:” parameter and click “Resolve” to populate the field
d. Password equals Cyberark1
4. Perform a Verify and Change operation

Add Windows Server Local Account

1. Duplicate the ‘Windows Server Local Accounts’ platform and name it, “CyberArk Lab Windows
Server Local Accounts”.
2. Create account localadmin01
a. Store in safe ‘Windows Accounts’ and assign it to the platform created in step 1.
b. Address equals “comp01c.cyber-ark-demo.local”
c. Password is unknown. Leave the password field blank.
3. Associate admin01 as a reconcile account.
4. Execute a Reconcile operation.

CyberArk University Exercise Guide Page 77

Add Linux Root Account

1. Create a safe to store Unix accounts named “Linux Accounts”
a. Assign CPM: CPM_UNIX
b. Assign default permissions to ldap group LinuxAdmins
c. Optional: Search the Vault and add built-in group ‘Vault Admins’ with all Safe Roles
excluding ‘Use accounts’ and ‘Retrieve accounts’.
2. Duplicate the ‘Unix via SSH’ platform. Name it “CyberArk Lab Unix via SSH Accounts”
3. Create the Unix account root01 in safe Linux Accounts.
a. Assign to “CyberArk Lab Unix via SSH Accounts” platform created in a prior step.
b. Address = 10.0.0.20
c. Password = Cyberark1
4. Perform a Verify and Change operation.

Add Oracle Database Account

1. Create a safe to store Oracle accounts named ‘Database Accounts’.
a. Assign CPM: CPM_UNIX
b. Assign default permissions to ldap group OracleAdmins.
c. Optional: Search the Vault and add built-in group ‘Vault Admins’ with all Safe Roles
excluding ‘Use accounts’ and ‘Retrieve accounts’.
2. Duplicate the ‘Oracle Database’ platform and name it ‘CyberArk Lab Oracle Database Accounts’.
Change the status of the new platform to Active.
a. Edit the “CyberArk Lab Oracle Database Accounts” platform.
b. Navigate to Automatic Password Management > Generate Password. Update the
MinSpecial parameter to a value of -1.
3. Create the Oracle account dba01 in ‘Database Accounts’ safe
a. Assign to ‘Cyberark Lab Oracle Database’ platform.
b. Address = 10.0.0.20
c. Database = xe
d. Port = 1521
e. Password = Cyberark1
4. Perform a Verify and Change operation.

CyberArk University Exercise Guide Page 78

Note: After completing the above tasks, you should have four test accounts whose passwords
have been verified and changed by a CPM; localadmin01, admin01, root01 and dba01.

10. Login to the PVWA as the following LDAP users to ensure they can access the appropriate
accounts;
a. winadmin01
b. linuxadmin01
c. oracleadmin01
d. If you receive ITATS004E Authentication failure, review the User Template in the Vault Users
Mapping.

CyberArk University Exercise Guide Page 79

Install PSM
The Customer has purchased CyberArk’s Privileged Session Management (PSM) in order to monitor
and record and activity related to privileged accounts in the network:
PSM 2 servers
Comp01c (10.0.22.1)
Comp01d (10.0.23.1)

Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab before proceeding
(with the exception of the DR VM).

Objective: In the following sections you will install and configure 2 Standalone PSM Servers in a
Load Balanced Configuration.

CyberArk University Exercise Guide Page 80

Install a Standalone PSM Installation

The PSM installation is divided into several configurable stages: setup (prerequisites), installation,
post installation, Hardening and registration.

Note: The following procedures describe deploying PSM prerequisites, installation, post installation
and hardening via PowerShell scripts. To learn more about the actions performed by the
CyberArk scripts please refer to the online documentation at the following URL.
https://docs.cyberark.com/Product-
Doc/OnlineHelp/PAS/Latest/en/Content/Landing%20Pages/lp_installPSM.htm

PSM Installation Prerequisites

Note: The following procedure will execute PowerShell scripts. It is recommended to perform a
graceful restart of the component server, to clear any pending restarts and software updates.

1. Sign in to the Comp01C server as Cyber-Ark-Demo\Admin02, PW=Cyberark1.

2. Open File Explorer and navigate to the shared resource folder, Z:\. If the drive is not mapped,
map a network drive to Z: at \\dc01\shared.

a. Navigate to “Z:\CyberArk PAS Solution\v11.2”. Copy zip file “Privileged Session Manager-Rls-
v11.2.zip” to “C:\CyberArkInstallationFiles”.

b. The PrivateArk Client is also required to be installed on each PSM server. Copy “Z:\CyberArk
PAS Solution\v11.2\Vault Installation Files\Client” to “C:\CyberArkInstallationFiles”.

Note: The installation folder for PSM must not be in a deep directory structure. Shorten the
directory path of the extracted folders.
c. Extract “Privileged Session Manager-Rls-v11.2.zip” to the default folder, then copy and paste
extracted folder \“ Privileged Session Manager-Rls-v11.2” to the root of C:\ as shown below.

CyberArk University Exercise Guide Page 81

3. In File Explorer, navigate to “C:\Privileged Session Manager-Rls-

v11.2\InstallationAutomation\Prerequisites”.

4. Edit PrerequisitesConfig.xml using “Notepad ++” search for and set all Enable= steps to YES. Save
the file and exit.

5. Open Windows PowerShell as Administrator. Change directories to “C:\Privileged Session

Manager-Rls-v11.2\InstallationAutomation”.

6. Execute the following command.

Get-ExecutionPolicy (If the result is not “Restricted”, run “Set-ExecutionPolicy

Restricted”)

Set-ExecutionPolicy Bypass -Scope Process

7. Then launch the Execute-Stage.ps1 script with the location of the PrerequisitesConfig.xml as the
argument. Example:

“.\Execute-Stage.ps1 C:\Privileged Session Manager-Rls-

v11.2\InstallationAutomation\Prerequisites\prerequisitesConfig.xml”

8. Several scripts will be executed during this process.

CyberArk University Exercise Guide Page 82

9. When prompted in PowerShell, restart the server.

10. After the server restarts, sign in with the same credentials used in step 1, cyber-ark-
demo\admin02/Cyberark1.

Note: Customer requirements are a PSM ‘In Domain’ installation to enable RemoteApp
program features, thus the PSM installation prerequisites must be completed while
logged in as a domain user with local Administrator rights.

11. The PowerShell script will launch immediately to complete the prerequisite installation. Allow the
script to complete, then exit PowerShell.

12. A final step before PSM Installation is to assign an appropriate Domain Group access to the
Session Collection.

a. Open Server Manager and navigate to Remote Desktop Services -> Collections -> PSM-
RemoteApp.
b. In Properties, select TASKS -> Edit Properties -> User Groups.
c. Add CYBER-ARK-DEMO\CyberArk Vault Admins and remove CYBER-ARK-DEMO\Domain

CyberArk University Exercise Guide Page 83

Users, as shown.

PSM Installation

Note: To enable RemoteApp program features, PSM installation must be completed while
logged in as a domain user, with local Administrator rights. Install the PSM logged in as
cyber-ark-demo.local\Admin01 (or Admin02).

1. Using File Explorer, navigate to C:\Privileged Session Manager-Rls-v11.2. Right click setup.exe
and choose “Run as administrator”.

2. Select to install the Microsoft Visual C++ Redistributable Package (x86)

3. Click Next on the welcome screen, then Yes to agree to the license agreement

4. Enter a company name, click Next, then leave the default destination folder and click Next.

CyberArk University Exercise Guide Page 84

5. Leave the default recordings temporary folder and click Next, then accept the default
Configuration safes name and click Next.

6. Enter the IP Address of your vault (i.e., 10.0.10.1) and click Next, then enter the username
Administrator, password Cyberark1 and click Next.

CyberArk University Exercise Guide Page 85

7. At API Gateway connection details option, select Next and Yes to confirm. We will not be
configuring the HTML5 Gateway in this lab.

8. At InstallShield Wizard Complete windows, select “No, I will restart my computer later” and click
Finish.

9. Install the PrivateArk Client and choose to restart the server when complete.

a. Use the Vault IP address 10.0.10.1, for both Server Name, and Address fields, when defining
the first Vault.

10. Following the installation and server restart, go to C:\Windows\Temp and review the
PSMInstall.log.

CyberArk University Exercise Guide Page 86

PSM Post Installation

Note: The following tasks must be performed by a user with administrator rights on the PSM
server.

1. The post installation stage configures the PSM server after it has been installed successfully. The
post installation script does the following steps automatically:
• Disables the screen saver for local PSM users
• Configures users for PSM sessions
• Enables PSM for web applications (optional)
• Enables users to print PSM sessions (optional)
2. Open File explorer. Navigate to “C:\Privileged Session Manager-Rls-
v11.2”\InstallationAutomation\PostInstallation. Edit PostInstallationConfig.xml using Notepad
++ and set all Enable= parameters to ‘YES’ except the last one, “Reduce Win Certificate Wait Time”
= Yes. In this lab and whenever a Certificate Authority is available, Certificate Validation should
be enabled.

3. Open PowerShell as administrator frp, “C:\Privileged Session Manager-Rls-

v11.2\InstallationAutomation” and Execute the following 2 commands.
Get-ExecutionPolicy (If the result is not “Restricted”, run “Set-ExecutionPolicy
Restricted”)

Set-ExecutionPolicy Bypass -Scope Process

4. Then launch Execute-Stage.ps1 script with the location of the PostInstallationConfig.xml as the
argument, as shown. Several scripts will be executed during this process.
a. Execute-Stage.ps1 “C:\Privileged Session Manager-Rls-
v11.2\InstallationAutomation\PostInstallation\PostInstallationConfig.xml”
5. When finished, the results of the script should indicate that steps; DisableScreenSaver,
ConfigurePSMUsers, ImproveNonRDPConnectorPerformance, WebApplications, and
EnablePrintSessions have succeeded.
6. Review the log file in the location specified in the PowerShell command window.
CyberArk University Exercise Guide Page 87
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and mechanical,
without the express prior written permission of Cyber-Ark® Software Ltd.
PAS Install Lab Guide

7. Repeat the following steps on the Comp01D component server.

a. PSM Installation Prerequisites
b. PSM Installation
c. PSM Post Installation

8. The following warnings are expected during the installation of additional PSM servers.

PSM Hardening
The PSM hardening stage enhances PSM security by defining a highly secured Windows server. The
hardening procedure, which disables multiple operating system services on the PSM server machine,
is included as part of the PSM installation and is not optional.
PSM Hardening Phase 1
Enable the PSM Hardening GPO for the PSM Servers in Active Directory Group Policy Management.
1. Sign in to the 001-DC Server as Administrator/Cyberark1.
2. On the Desktop, double click the Group Policy Management Console.
3. Expand CyberArk Servers and select the PSM Organizational Unit.
4. Right click the PSM Organizational Unit and select “Link an Existing GPO…”
5. Select PSM GPO and click OK.
6. In the “Linked Group Policy Object” tab, right click the PSM GPO and select “Enforced”.
7. Select OK to confirm.
8. Close Group Policy Management Console and sign out of 001-DC server.

CyberArk University Exercise Guide Page 88

PSM Hardening Phase 2

PSM Hardening Phase 2 accomplishes the following:
• Runs the hardening script
• Runs post hardening tasks
• Applies AppLocker rules
• Applies automatic hardening in 'Out of Domain' deployments (when applicable)

1. Sign in to the Comp01C server.

2. Using File Explorer, navigate to C:\Privileged Session Manager-Rls-

v11.2\InstallationAutomation\Hardening.

3. Open HardeningConfig.xml using Notepad ++.

a. Set all Enable= parameters to ‘YES’ except for “ConfigureOutOfDomainPSMServer”.

b. Set SupportWebApplications and ClearRemoteDesktopUsers Value=”Yes”

4. Open PowerShell as administrator in folder C:\Privileged Session Manager-Rls-

v11.2\InstallationAutomation.

5. Execute the following command.

Get-ExecutionPolicy (If the result is not “Restricted”, run “Set-ExecutionPolicy
Restricted”)

Set-ExecutionPolicy Bypass -Scope Process

6. Then launch the Execute-Stage.ps1 script with the location of the HardeningConfig.xml as the
argument. Several scripts will be executed during this process.

CyberArk University Exercise Guide Page 89

a. Execute-Stage.ps1 “C:\Privileged Session Manager-Rls-

v11.2\InstallationAutomation\Hardening\HardeningConfig.xml”

b. The hardening script will take approximately 15-20 minutes to complete.

7. A machine restart is required. Press Enter to restart the PSM Server, when prompted.

8. After the restart, sign in to Comp01C as Admin02. The PowerShell script will continue
automatically.

9. When the scripts complete, it will report that the following steps succeeded; RunHardening,
AfterHardening, RunApplocker, and HardenTLS. Exit the PowerShell window.

10. Open Computer Management, Local Users and Groups, Groups. Add ‘CyberArk Vault Admins’
group from the Cyber-ark-demo.local domain to the ‘Remote Desktop Users’ group.

11. Review the log file created by the hardening script, located in C:\Windows\Temp\PSMHardening-
{date/time}.log

12. Repeat the procedure “PSM Hardening Phase 2” on the Comp01D component server.

PSM Testing and Validation

1. From Comp01A/B, Login to the PVWA as vaultadmin01 and enable the PSM in the Master Policy.

2. Attempt connecting to the customer’s target devices using the relevant PSM Connection
Components for all accounts (PSM-SSH, PSM-RDP, PSM-WinSCP and PSM-SQL*Plus).
CyberArk University Exercise Guide Page 90
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and mechanical,
without the express prior written permission of Cyber-Ark® Software Ltd.
PAS Install Lab Guide

3. Test each PSM server independently.

a. The default PSM server specified in every platform, is the very first PSM server installed,
PSMSERVER.

b. Retest every connection component after updating each target platform with the 2nd PSM
Server ID, PSM-COMP01D.

4. Troubleshoot issues as needed.

Challenge: You should be able to connect to all accounts using available connection components
with one exception, dba01 using PSM-SQL*Plus. Expected result is a PSM-SQLPlus
recorded session but you will receive a PSMSR133E error.

What is the root cause of error PSMSR133E?

How might you resolve the issue when attempting to establish a PSM-SQL*Plus
connection?

CyberArk University Exercise Guide Page 91

Load Balanced PSM Servers

Note: in this section we will test connecting to the PSM servers via a load balancer.

Configure PSM Load Balancing

Objective: The Load Balancer in your lab environment is a Round Robin DNS. The Network
Administrator has created a virtual pool of IP addresses and assigned a Virtual IP for the
Load Balancer represented by, psmfarm.cyber-ark-demo.local. The following
procedure guides you through the necessary changes to the PVWA to support PSM
Load Balancing.

1. Login to the PVWA as vaultadmin01 and go to Administration > Configuration Options > Options
> Privileged Session Management > Configured PSM Servers.

2. Right click on and copy the PSMServer folder.

3. Right click on folder Configured PSM Servers. Select Paste PSMServer.psm

CyberArk University Exercise Guide Page 92

4. Go to the newly added PSMServer and change the ID to psm-farm and the name to Load Balanced
PSM Servers.

5. Expand PSM-Farm. Select Connection Details > Server. Update the Address parameter to that of
your PSM Farm virtual hostname, ‘psm-farm.cyber-ark-demo.local’. Click on Apply and OK to save
the changes.

CyberArk University Exercise Guide Page 93

6. Edit all target platforms PSM ID to psm-farm.

Update RDS Certificate

The following procedure will guide you through the steps to assign a certificate to the Remote
Desktop Services deployment in support of the PSM Farm virtual hostname. A certificate has
been provided by the Certificate Administrator for both PSM Servers; Comp01c and Comp01d.

1. Sign in to PSM Server Comp01c as Admin02.

2. Open Server Manager and select Remote Desktop Services in the left navigation pane.
3. In Deployment Overview select Tasks > Edit Deployment Properties. In the Configure the
deployment window, select Certificates > Select existing certificates > Choose a different
certificate. Browse to C:\CyberArkInstallationFiles.
4. Select the file with the .pfx extension and click Open. In the Password: field, enter Cyberark1,
select the box to “Allow the certificate to be added to the Trusted Root Certification Authorities…”
and select OK to close the Deployment Properties window.
5. Repeat steps 2-4 on PSM Server Comp01d.
6. Update the platforms to use the load balanced PSM Server configuration. Edit each platform,
navigate to UI & Workflows > Privileged Session Management and update the PSM Server ID to
psm-farm.

Note: You must be signed in to one of the component servers, i.e., Comp01A/B as a Domain
User and testing should be successful. If signed in to the server as the local
Administrator the current user will not have access to the Certificate Revocation List
Distribution Point.

7. Attempt to connect to different target devices using the PSM-Farm virtual PSM server.

CyberArk University Exercise Guide Page 94

PSM for SSH Installation

Objective: In this exercise you will configure a Linux server to run CyberArk PSM for SSH (PSMP)
server. See the Privileged Session Manager for SSH section of docs.cyberark.com for a
full explanation of all the required steps.

Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab before
proceeding (with the exception of the DR VM).

PSM for SSH (PSMP) Preparation

Note: Installing apps in Windows is obviously different than installing apps on a Linux Server.
A Windows Installer program prompts for information, such as the Vault IP address, the
directory path to install the software, the Administrator user name and password, and
accepting the EULA, for example. In Linux, these questions must be provided to the
installer prior to launching setup in the form of text files.

1. Login into your PSMP server console as root/Cyberark1. Alternatively, you can connect to the
PSMP server (10.0.1.16) using Putty from either Component Server.

2. Create an administrative user. Run ‘useradd proxymng’ to create the user account then set a
password for the new account with the command ‘passwd proxymng’ as shown. Set the
password as Cyberark1 and confirm.

3. Edit the vault.ini file. Change directories to /root/PSM-SSHProxy-Installation/ directory and edit
the vault.ini file using the VI editor.

cd /root/PSM-SSHProxy-Installation/
vi vault.ini

4. Update the ADDRESS parameter value to the address of your vault server (e.g. 10.0.10.1). Use the
arrow keys to move the cursor to the text you want to amend, type *R (case-sensitive) to make
the changes and press Esc to stop editing.

CyberArk University Exercise Guide Page 95

5. Enter the command :wq! to save the file and quit vi.

6. Create a credential file for the built-in Administrator. The built-in Administrator user will
authenticate to the Vault and create the Vault environment during installation.

a. Enter the following command to assign read, write and execute permissions to the file
CreateCredFile.

chmod 755 CreateCredFile

b. Run the CreateCredfile utility as shown. Enter Administrator as the Vault Username and
Cyberark1 as the Vault Password. Accept the default values for the remaining prompts.

./CreateCredFile user.cred

7. Edit the psmpparms file to define the installation directory and accept the End User License
Agreement. Remain in the current directory, /PSM-SSHProxy-Installation.
CyberArk University Exercise Guide Page 96
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and mechanical,
without the express prior written permission of Cyber-Ark® Software Ltd.
PAS Install Lab Guide

a. Move psmpparms.sample to the /var/tmp directory and rename it to psmpparms using the
command in the following example.

b. Edit the psmpparms file by entering the following command.

vi /var/tmp/psmpparms

c. Edit the following lines as shown.

InstallationFolder=/root/PSM-SSHProxy-Installation
AcceptCyberArkEULA=Yes

8. Use the arrow keys to move the cursor to the text you want to amend, type *R (case-sensitive) to
make the changes and press Esc to stop editing. Enter the command :wq! to save the file and quit
vi.ls

9. Run the PSMP installation by running the following command as shown from the PSMP
installation directory (the version number in the screenshot may not be identical, you can type the
first characters of the filename and then press tab to auto-complete).

rpm -ivh CARKpsmp-11.2.0-22.x86_64.rpm

CyberArk University Exercise Guide Page 97

10. Run the following command to ensure that the services are running.

service psmpsrv status

11. Review the log using the cat command as shown.

cat /var/tmp/psmp_install.log

12. Check that the PSMPApp_<hostname> users and groups were added to the Vault.

Note: If a Platform managing the root01 account was duplicated prior to installing PSMP you
will need to manually create the link to the Connection Component.

CyberArk University Exercise Guide Page 98

13. Login to the PVWA from COMP01A/B and add the PSMP-SSH and PSMP-SCP Connection
Components to target platform “CyberArk Lab Unix via SSH Accounts” by right clicking on folder
“Connection Components” and choosing “Add Connection Component”.

14. From the Components server, open PuTTY (c:\3rd Party Installation Files\putty.exe) and
enter the following connection string in Host Name to verify that you can you log in with
linuxadmin01 to the Linux Server (10.0.0.20) using root01 via the PSMP:
linuxadmin01@[email protected]@10.0.1.16.

a. You may need to issue the “service psmpsrv restart” command on the PSMP server, after
editing your platform, to refresh the platform changes.

15. Make sure you can see the recording of your session in the PVWA. Login to the PVWA as
Auditor01 using LDAP authentication. Navigate to Monitoring, and play the session recording for
linuxadmin01 using client PSMP-SSH.

Troubleshooting
1. If the installation fails, you can view errors in the following logs:

CyberArk University Exercise Guide Page 99

a. /var/tmp/psmp_install.log – This log file describes the activities that occurred during the
installation process.
b. /var/opt/CARKpsmp/temp/CreateEnv.log – This log file describes the activities that
occurred when the Vault environment for PSMP was created.
2. View the logs with the less command to view the logs and browse the pages using the space
button.

3. Run the rpm with the -e switch to remove the existing PSMP package and install again.

rpm –e CARKpsmp

4. If the installation completes successfully, but you cannot connect successfully via the PSMP, check
the following logfile:

cat /var/opt/CARKpsmp/logs/PSMPConsole.log

CyberArk University Exercise Guide Page 100

Securing CyberArk

Objective: In this section you will be asked to perform several tasks to make your existing
CyberArk implementation secure. Perform these operations on either Comp01A or
Comp01B servers. The following procedure will restrict an LDAP User from
authenticating via any other interface except the PVWA and PSM.

Lock Down a User’s Interface

Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab before
proceeding (with the exception of the DR VM).
1. Log in to the PrivateArk Client as administrator.
2. Open Tools, Administrative Tools, Directory Mapping.
3. Select Map Name Users_cyber-ark-demo.local > Update > User Template > General > Authorized
Interfaces.
4. Using the arrows in the center, select and move all entries listed under the “Authorized
Interfaces” column except PSM, PSMP and PVWA, to Available Interfaces.

5. Select Ok, Ok again and OK a final time, then close the Directory Mapping utility and logoff the
PrivateArk Client.
6. Now logged off, select the defined Vault in the PrivateArk Client. Right click and select Properties
> Advanced > Authentication Methods > LDAP authentication.

CyberArk University Exercise Guide Page 101

7. Select OK and Ok again, then double click the Vault Server icon to login to the Vault.
a. Attempt to logon as Winadmin02, Linuxadmin02 or any other LDAP user that has never signed
in to the PVWA so they are filtered by the Users Directory Mapping.
b. The WINCLIENT provides authorization to login to the PrivateArk Client, and so the expected
result is the attempt should fail with an ITATS004E Authentication failure popup.
c. Check the ITALOG.LOG on the Vault server for “ITATS942E Client WINCLIENT is not allowed for
user…”.
8. Attempt to sign in to the PVWA with the same LDAP user, and attempt to launch a PSM
connection component. Expected result = success!

Use RDP over SSL

NOTE: In this section you will configure the PSM server to require RDP connections over SSL.

Connections to the PSM require a certificate on the PSM machine. By default, Windows
generates a self-signed certificate. In a production implementation a trusted certificate
issued by a Certificate Authority should be obtained.

1. Sign in to comp01C as Admin02 and run GPEDIT.MSC.

CyberArk University Exercise Guide Page 102

2. Navigate to Computer Configuration > Administrative Templates > Windows Components >
Remote Desktop Services > Remote Desktop Session Host > Security.

3. Open the Security settings for: Set client connection encryption level. Click on Enabled and set
the encryption level to High Level then click OK.

4. Open the setting for: Require use of specific security layer for remote (RDP) connections. Click on
Enabled and set the Security Layer to SSL (TLS 1.0) and click OK.

5. Exit GPEDIT.MSC.

6. Repeat steps 1-5 above on the 2nd PSM server in the Load Balanced pool of PSM servers,
Comp01d.

CyberArk University Exercise Guide Page 103

7. Login to the PVWA from Comp01B/A as vaultadmin01. Navigate to ADMINISTRATION >

Configuration Options > Options > Privileged Session Management > Configured PSM Servers >
PSMServer > Connection Details > Server and change the Address attribute to the FQDN of the
PSM server so that it matches the name defined in the COMP01C server certificate.

8. Click Apply to save the changes.

9. Repeat step 7 above, for Configured PSM Servers > PSM-COMP01D.

10. In the PVWA, navigate to ADMINISTRATION > Configuration Options > Options > Connection
Components > PSM-SSH > Component Parameters. Add a new parameter named authentication
level:i and set the Value to 1.

Note: Repeat this procedure for each connection component the customer intends to use,
(excluding PSMP Connection Components) to enable RDP over SSL connections to the
PSM machine.

CyberArk University Exercise Guide Page 104

11. Restart the PSM service on COMP01C and COMP01D servers to refresh the configuration changes
or wait the default 20 minutes refresh cycle.

12. Establish a PSM-SSH connection using account root01.

Note: If the RDS Certificate was updated during the PSM Hardening phase, the following 4
steps will not be relevant. However, if using the default self-signed certificate for RDS
the first attempt to use RDP over SSL will require you to import the certificate used by
the PSM server.

1. Click on View certificate, then Install Certificate.

CyberArk University Exercise Guide Page 105

2. Click on Local Machine and Next, then Place all certificates in the following store.

3. Click on Browse and then choose Trusted Root Certification Authorities. Then click on Next.

4. Click on Finish then retry the connection.

CyberArk University Exercise Guide Page 106

Manage LDAP BindAccount

NOTE: Ensure that a reconcile account is associated with the BIND account.

1. Logon to the PVWA as Vaultadmin01

2. Edit the VaultInternal safe and assign CPM: CPM_WIN and Save
3. Duplicate the Windows Domain Account platform. Name the new platform “CyberArk Lab
Windows Domain SERVICE Accounts”
4. Edit the new “CyberArk Lab Windows Domain SERVICE Accounts” platform
5. Search for and update the parameters PerformPeriodicChange, VFPerformPeriodicVerification and
RCAutomaticReconcileWhenUnsynched to equal Yes
6. Go to Accounts and search for BindAccount
7. Edit BindAccount.
a. Assign the new platform created in step 3
b. Username field must not include the address i.e., ‘BindAccount’ not ‘BindAccount@cyber-ark-
demo.local’
c. Update the Address field to the domain name only i.e, “cyber-ark-demo.local”
d. Select the optional property Logon To:, and select resolve, to populate the NetBIOS domain
name
e. Clear “Disable automatic management for this account”
f. Save the changes
8. In Account Details, associate a Reconcile Account by selecting Associate and choosing the
Admin01 domain account

9. Select the Change button to change the password of BindAccount.

CyberArk University Exercise Guide Page 107

NOTE: It is recommended to configure these password changes to take place “off hours”, to
minimize the remote possibility of a service outage during password changes. This can
be accomplished by configuring the “From hour, To hour” platform settings
appropriately.

Manage PSMConnect/PSMAdminConnect using the CPM

NOTE: Customers who manage PSMConnect and PSMAdminConnect user credentials with the
CPM must make sure that a reconcile account is associated with these accounts, and
that changes to the password are done via Reconcile.

1. Login to the PVWA as CyberArk user Administrator and go to POLICIES > Access Control (Safes)
and choose the PSM safe. Click on Edit.

2. Assign to CPM: CPM_WIN.

3. Select Save, then select the PSM safe again and choose Members.

4. Choose Add Members. Query the Vault for the ‘Vault Admins’ group, Assign all roles. Assigning
the built-in ‘Vault Admins’ group will now allow the VaultAdmin01 user to see the PSM accounts
in the PSM safe.

a. Sign out of the PVWA as Administrator. Sign in as VaultAdmin01.

5. Next, we need to assign the PSM users to a duplicate of Windows Local Server Accounts and
configure the platform to perform changes using the Reconcile mechanism.

a. Go to platform management and create a duplicate of Windows Server Local Accounts

platform. Suggested name is “CyberArk Lab PSM Local Accounts”.

CyberArk University Exercise Guide Page 108

b. Edit the platform you just created.

• Select Automatic Password Management > Password Reconciliation. Update parameter

RCAutomaticReconcileWhenUnsynched to Yes.

• Right click on Automatic Password Management and select “Add Additional Policy
Settings”.

• Select “Additional Policy Settings” and update ChangePasswordInResetMode to Yes.

Click on OK to save.

CyberArk University Exercise Guide Page 109

6. Go to ACCOUNTS in the classic UI and select all PSMConnect and both PSMAdminConnect users.
Select the Modify button and click on Edit.

7. Change Device Type to Operating System and Platform Name to “CyberArk Lab PSM Local
Accounts” and select Save.

CyberArk University Exercise Guide Page 110

8. Associate a Reconcile Account. This can be done at the platform level, so that all accounts
assigned to the platform will be associated with the Reconcile Account. Or, associate a Reconcile
Account for each PSMConnect and PSMAdminConnect user, by selecting Associate and choosing
the Admin01 domain account.

Recommended: Define the Reconcile account at the platform level.

9. Using the Accounts View (Classic UI) select all PSMConnect and PSMAdminConnect accounts.

a. Select the menu option, Manage, Change, Change the password immediately (by the CPM).
This will flag all 4 accounts for password reconciliation.

b. Review each account status to confirm the CPM successfully reconciled the passwords.

CyberArk University Exercise Guide Page 111

Recommended: Schedule password changes during off hours to reduce the possibility of a
service outage.

CyberArk University Exercise Guide Page 112

Manage CyberArk Administrator Account using the CPM

In this section you will configure the CPM to manage the password for the built-in CyberArk
Administrator user.

NOTE: After this step the CPM will change the password for the built-in administrator and you
will need to retrieve the password of Administrator from the Vault, when necessary.

1. Login to the PVWA as vaultadmin01 and change the CyberArk Vault platform to Active.

2. Create a new safe.

a. Safe name = CyberArk Administrators

b. Assigned CPM = CPM_WIN
c. Add Members = Vault Admins. Search in Vault. Grant all roles (Access, Account Management,
Safe Management, Monitor, Workflow, Advanced).

3. Delete the Vaultadmin01 user. Scroll to the right, and click on the trash can.

CyberArk University Exercise Guide Page 113

4. Create a new account in the PVWA for Administrator with the following properties.

Store in Safe CyberArk Administrators

Device Type Application

Platform CyberArk Vault

Username Administrator

Address 10.0.10.1

Password Cyberark1

5. Execute a verify and change operation for Administrator.

Connect with PSM-PrivateArk Client

The following procedure will configure the PSM to support the PSM-PrivateArk Client Connection
Component.

Note: The PrivateArk Client must be installed on the PSM server, as instructed during the PSM
Installation section of this guide. The PrivateArk Client must also be configured in
Global Configuration mode, which enables you to define Vault definitions that will be
available to use by any logged on user to the server, and also with the PSM-PrivateArk
Client Connection Component.

1. Sign in to the PSM server Comp01C as Admin02 and run the PrivateArk Client from the desktop.
Do not login to the Vault.

CyberArk University Exercise Guide Page 114

2. Ensure that at least one vault server is defined, as shown in the graphic. If not, select the File,
New, Server menu option and define a new vault using 10.0.10.1 for the Name, and Address
fields.

3. Go to Tools > Administrative Tools > Export Configuration Data.

4. Browse to your Desktop folder and select “Export Global Configuration Data” and click OK. Close
the PrivateArk Client.

5. Open the PrivateArk Configuration Data.ini file saved to your desktop and confirm the IP address
of the Vault server is in the path at the top of the file.

6. Rename the file to GlobalSettings.ini. Right click on GlobalSettings.ini file and choose Properties >
Security tab. Grant default (RX) permissions to the local Comp01C\PSMShadowUsers group on
the PSM server.

7. Use the PAConfig.exe utility to change the configuration to Global Configuration. Open an
Administrative Command Prompt in folder “C:\Program Files (x86)\PrivateArk\Client” and run the
following command:

PAConfig.exe /inifile c:\Users\Admin02\Desktop\GlobalSettings.ini

CyberArk University Exercise Guide Page 115

8. Restart the server.

9. Sign in to the PSM server Comp01C as Admin02 and add the Private Ark client executable as an
authorized application in the Applocker configuration.
a. Using File Explorer navigate to c:\Program Files (x86)\CyberArk\PSM\Hardening.
b. Edit the file PSMConfigureApplocker.xml using Notepad++. Find the “Generic Client support”
section at the bottom. Copy the “Generic client sample” line. Paste this line with the
“Microsoft IExplore processes” (because it is not commented) and edit the Name and Path as
follows: Name=”PrivateArk Client”, Path="C:\Program Files (x86)\PrivateArk\Client\Arkui.exe"

10. Save the file.

11. Reapply the Applocker rules by executing the PSMConfigureApplocker.ps1 script.

Note: For more information refer to “Run AppLocker Rules”.

12. Sign in to the PVWA from Comp01A or Comp01B. Attempt to connect to the Vault using
Administrator and the PSM-PrivateArkClient connection component. If you did not enable RDP
over SSL for the PSM-PrivateArkClient connection component, you will need to do so now.

CyberArk University Exercise Guide Page 116

Connect using PSM-PVWA-Chrome

In this section you will configure the PSM to support connections with CyberArk administrative
accounts to the Vault using the PVWA.

Note: In order for the PSM to support Web Applications, the PSM hardening scripts must be
configured and executed appropriately.

In this exercise, you will enable Google Chrome on the PSM Server, and use the new
PSM-PVWA-v10 Connection Component.

1. Configure Applocker to enable Google Chrome.

a. In the “C:\Program Files (x86)\CyberArk\PSM\Hardening” subfolder, edit the
PSMConfigureApplocker.xml using Notepad++.
b. Find the “Google Chrome process” section near the bottom of the file and remove the
comments from the section, as shown.
c. Replace Method=”Hash” with Method=”Publisher”, as shown.

2. Save the file.

3. Open PowerShell as Administrator in the folder specified in step 1 above.

a. Get-ExecutionPolicy (If the result is not “Restricted”, run “Set-ExecutionPolicy Restricted”)

b. Set-ExecutionPolicy Bypass -Scope Process

4. Execute the PSMConfigureApplocker.ps1 script, applying the Applocker rules defined in

PSMConfigureApplocker.xml.

5. Sign in to the PVWA as Vaultadmin01 and navigate to Administration > Configuration Options >
Options > Connection Components, PSM-PVWA-v10.

6. Copy the component and paste it under Connection Components so that you can customize the
component without modifying the original. Rename the copied component PSM-PVWA-Chrome.

7. Select the PSM-PVWA-Chrome connection component. Edit the Display Name parameter to PSM-
PVWA-Chrome.

8. Navigate to Target Settings->Web Form Settings and configure the following:

CyberArk University Exercise Guide Page 117

a. In LogonURL, replace "{address}" to match the fully qualified hostname of your Load Balanced
PVWA server pool including the authentication method as follows: https://pvwa.cyber-ark-
demo.local/passwordvault/v10/logon/cyberark

Note: "EnforceCertificateValidation" =Yes by default. This is fine, because in this lab we have
replaced the self-signed web certificate with a trusted web certificate on the PVWA
server.

9. Enable RDP over SSL for the PSM-PVWA-Chrome connection component by adding a new
Component Parameter called authentication level:i with a value of 1.

10. Edit the CyberArk Vault platform. Rename PSM-PVWA-v10 connection component to PSM-
PVWA-Chrome. Click Apply to save your changes but remain editing the platform.

11. Select “Connection Components”. Add the value PSM-PVWA-Chrome to the

PSMConnectionDefault parameter. This will make it show up first in the list of Connection
Components for accounts assigned to this platform. Save the platform.

12. Restart the “Cyber-Ark Privileged Session Manager” Server service on both PSM servers.

13. Signed in to the PVWA as Vaultadmin01, connect with Administrator to the Vault using the PSM-
PVWA-Chrome connection component.

CyberArk University Exercise Guide Page 118

14. Validate recording. Sign out as VaultAdmin01, and sign in to the PVWA as Auditor01 using LDAP
authentication. Verify that you can view the recordings of your PrivateArk Client and PVWA
sessions.

CyberArk University Exercise Guide Page 119

CyberArk Vault Backup

Enable the Backup and DR Users

Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab before proceeding
(with the exception of the DR VM).

For this section of the exercise, you will first login to the PrivateArk Client on Comp01A Server.

1. Use the PrivateArk client to log into the Vault as administrator (use the PSM-PrivateArk Client
connection component).

2. Go to Tools > Administrative Tools > Users and Groups.

3. Highlight the Backup user (located under System) and press Update.

4. On the General tab uncheck the Disable User checkbox.

CyberArk University Exercise Guide Page 120

5. On the Authentication tab enter Cyberark1 in the Password and Confirm fields.

6. Press OK.

Note: The DR user will be used in the Disaster Recovery exercise. We will enable it now as
long as we are here.

7. Highlight the DR user (located under System) and press Update.

CyberArk University Exercise Guide Page 121

8. On the General tab uncheck the Disable User checkbox.

9. On the Authentication tab enter Cyberark1 in the Password and Confirm fields. Click OK then
Logoff the PrivateArk Client.

CyberArk University Exercise Guide Page 122

Install the PrivateArk Replicator Component

1. Sign in to the Comp01A Server, open Windows File Explorer and navigate to the shared resource
folder, “Z:\. If the Z: drive is not mapped, map Z: to \\dc01\shared.

2. Navigate to “Z:\CyberArk PAS Solution\v11.2\”. Copy the file ‘Replicate-Rls-v11.2.zip’ to

“C:\CyberArkInstallationFiles” and extract all files.

3. Navigate to extracted folder ‘C:\CyberArkInstallationFiles\ Replicate-Rls-v11.2’, and right click and

“Run As Administrator” setup.exe.

4. Accept all the default parameters to complete the installation. On the Welcome screen enter Next
and click Yes to accept the license agreement.

5. Enter CyberArk for the user and company names and click Next, and Next again to accept the
default destination location.

CyberArk University Exercise Guide Page 123

6. Press Next to accept the default Safes location and click Finish to complete the installation.

7. In Windows File Explorer, navigate to C:\Program Files (x86)\PrivateArk\Replicate.

8. Edit the Vault.ini file and enter the IP address of your Vault server in the address parameter.

9. Save and close the file.

CyberArk University Exercise Guide Page 124

Note: You will now create a credential file that the Replicator Component will use to
authenticate to the vault server.

10. Open an Administrators Command Prompt in the Replicate root installation directory,
“C:\Program Files (x86)\PrivateArk\Replicate”.

11. Use the CreateCredfile.exe utility to create the user.ini credential file:

CreateCredFile.exe user.ini

Vault Username [mandatory] ==> Backup

Vault Password…==> Cyberark1

12. Press Enter to accept the defaults for the remaining questions.

Create a Windows Scheduled Task

1. Open the ‘Task Scheduler’ application from the Windows Start Menu > Administrative Tools
menu. Select ‘Task Scheduler Library, right click and select ‘Create a Basic Task’.
a. In the Name field type ‘CyberArk Full Backup’ and click Next.
b. Run the Task Weekly, click Next.
c. Accept the default start date and time and select at least on day of the week. Click Next.
d. Select ‘Start a program’ and select Next.
e. Program/script: field enter the following including double quotes.

“C:\Program Files (x86)\PrivateArk\Replicate\PAReplicate.exe”

f. Enter the following without double quotes in the ‘Arguments (optional):’ field.

CyberArk University Exercise Guide Page 125

vault.ini /logonfromfile user.ini /FullBackup

g. Enter the following without double quotes in the ‘Start in (optional):’ field

C:\Program Files (x86)\PrivateArk\Replicate

2. Click Next and Finish at the Summary.

3. Double click the ‘CyberArk Vault Full Backup’ from the Task Scheduler Library. Change the User or
Group to ‘System’ and click Ok.
4. Select the ‘CyberArk Vault Full Backup’ from the Task Scheduler Library, right click on it and select
‘Run’.
Note: You can check the status of the job by scrolling to the right and refreshing column ‘Last
Run Result’

5. You can also run the command from a command line as follows however it is not recommended to
create a batch file containing the PAReplicate command and reference it in the Scheduled Task.

6. Review the PAReplicate.log file located in the \Replicate root directory.

Note: The first time running PAReplicate with the /FullBackup argument may take an
extended amount of time in a Production environment depending on the number and
size of accounts and PSM recordings. Subsequent Full Backups will only backup
changed files, equivalent to a Differential Backup.

CyberArk University Exercise Guide Page 126

Testing the Backup/Restore Process

1. Login to the PVWA as Vaultadmin01.

2. Go to POLICIES > Access Control (Safes).

3. Select your Linux accounts safe and Delete it.

4. Press Yes to confirm that you would like to delete the Safe and its contents.

5. You will receive a message that the Root folder cannot be deleted for 7 days. However, the
contents of the Safe will be removed.

6. To confirm that the contents of the Safe have been deleted, go to the Accounts page.

7. Enter root in the search box and press the Search button.

CyberArk University Exercise Guide Page 127

8. The root account that you created earlier in this exercise using address 10.0.0.21, will not appear.

9. Open a Command Prompt in ‘C:\Program Files (x86)\PrivateArk\Replicate’ and run the following:

PARestore.exe vault.ini dr /RestoreSafe “Linux Accounts” /TargetSafe LinuxRestore

Note: If the command doesn’t run, check the syntax and make sure you have entered all of
the spaces correctly. Use quotations for the safe name in case there is a space in the
safe name (for example, if the name of the safe is Linux Account then use – “Linux
Accounts”).

10. Enter the DR user’s password (Cyberark1).

11. You should receive a message stating that the restore process has ended.

12. Return to the PVWA as Vaultadmin01 and search for root again.

13. You should now see the root01 account residing in the Safe LinuxRestore.

CyberArk University Exercise Guide Page 128

Disaster Recovery

Objective: In this section we will install and test the Disaster Recovery module. Prior to installing
the CyberArk Disaster Recovery software, the DR server must have the Private Ark
Server installed. The PrivateArk Server and Client software has already been installed
on your DR machine.

Note: Ensure that all Virtual Machines(VM’s) are started in your Skytap lab before
proceeding (with the exception of the DR VM).

Note: If you have completed the CyberArk Vault Backup exercise, the DR user has already
been enabled. If you did not enable the DR user, please do that now.

Note: The DR Vault must be configured to support LDAP Authentication. Importing the
Certificate Authority Root Certificate and updating the Hosts file with the LDAP
Directory Server is required. In this lab, these tasks have been completed.

Install the Disaster Recovery Module

Note: Ensure that the DR Virtual Machine is started in your lab!

1. Sign into the Disaster Recovery Vault server (DR) as Administrator.

2. Open the Server Central Administration app from the Desktop icon labeled ‘PrivateArk Server’ to
confirm the version of the DR Digital Vault is identical to the version installed on the Primary
Digital Vault Server.

a. Look for the message beginning with ITADB313I.

b. Close the Server Central Administration application.

3. Open the PrivateArk client and login to the DRVault as administrator.

Note: The only Safes in the Vault are the three built-in Safes.

CyberArk University Exercise Guide Page 129

4. Logoff and close the PrivateArk Client application.

5. Open the Windows Services applet and stop the PrivateArk Server service.

6. Open File Explorer and navigate to “C:\CyberArkInstalallationFiles\CyberArk Enterprise Password

Vault/Disaster Recovery-Rls-v11.2”.

7. Right click setup.exe and “Run as administrator”.

8. Press Next on the welcome screen and Yes to accept the license agreement.

9. Enter CyberArk in the Company field on the user information screen.

10. Click Next to accept the default destination folder.

11. Enter DR as the user and Cyberark1 as the password and click Next.

CyberArk University Exercise Guide Page 130

12. Enter your Primary Vault IP Address (10.0.10.1) and click Next,

13. Allow the server to restart by pressing Finish.

Validate Replication

1. After the server restarts, sign in to the DR Server as Administrator.

2. Use Notepad to open ‘C:\Program Files (x86)\PrivateArk\PADR\Logs\padr.log’.

3. Confirm that the production Vault replicated successfully.

a. Open the C:\Program Files (x86)\PrivateArk\PADR\Logs\PADR.log file, you will see entries with
informational codes PAREP013I Replicating Safe and at the end, PADR0010I Replicate ended.

CyberArk University Exercise Guide Page 131

4. Open \Conf\PADR.INI file and note that FailoverMode is equal to No.

Execute Automatic Failover Test

Preparation: In the following procedures you will be guided through the process of failover and
failback, replicating Vault data to and from the DR Vault. This requires an additional DR
user that you must create on the Primary Vault so that it is available on the DR Vault
when needed.

CyberArk University Exercise Guide Page 132

1. Sign in to the PVWA on Comp01A/B. Find the built-in Administrator for the Vault and launch the
PSM-PrivateArk Client Connection Component.

2. Select menu item Tools > Administrative Tools > Users and Groups then select the System folder.

3. Select New > User and configure the following ‘General Details’

a. User Name: DR_Failback

b. User type: DR_Users

c. Select the ‘Authentication’ tab and set the password to ‘Cyberark1’.

d. Deselect ‘User Must Change Password at Next Logon and select Password Never Expires.

e. Select Authorizations tab and select Backup All Safes and Restore All Safes.

f. Select the ‘Member Of’ tab. From the ‘Available Groups:’ column on the right, select ‘DR
Users’ and move to the ‘Member Of:’ column on the left.

g. Click OK to save. Close the ‘Users and Groups’ window and sign out of the PrivateArk Client.

h. Sign in to the DR Vault and restart the CyberArk Vault Disaster Recovery Service using the
Windows Services Applet. This will ensure that the new DR_Failback user has been replicated
to the DR Vault.

i. Check the PADR.LOG file to ensure that replication is working correctly.

Execute Failover: In the following procedures you will be guided through the process of failover

4. Sign in to the console of your Primary Vault server, Vault01A.

5. Open the Windows Services applet and stop the PrivateArk Server service.

6. On the console of the DR Server, open the PADR log file. You should see messages stating that the
DR Vault cannot reach the production Vault.

CyberArk University Exercise Guide Page 133

7. Alternatively, follow the tail of the padr.log using Windows Powershell.

8. Open Windows PowerShell from the taskbar.

9. Change directories to “C:\Program Files (x86)\PrivateArk\PADR”

10. Type the following command

Get-Content .\logs\padr.log –wait

11. After 5 failures by default, the DR Vault will go into failover mode. Total duration = 5 minutes.
Check the PADR.log and review the sequence of events.

CyberArk University Exercise Guide Page 134

12. On the DR Vault server, open the PrivateArk client.

13. Modify the properties of the DRVault shortcut to require LDAP Authentication. Login as
VaultAdmin01.

Note: The built-in Administrator user is now being managed by the CPM and the password
has been changed and replicated to the DR Vault. In the event of an actual disaster,
the built-in Administrators password may not be accessible and so it is important to
configure the DR Vault to support LDAP Authentication for administrative and normal
user access.

14. Note: The Safes and data match those in the Primary Vault.

Execute Failback Procedure Using Manual Failover

In the next steps, you will replicate data back from the DR Vault to the Primary Vault, perform a
Manual Failover to the Primary Vault up and set the DR server back to DR mode.

CyberArk University Exercise Guide Page 135

1. Sign in to the Primary Vault Server and Repeat the steps for Installing the DR module on the
Primary Vault, this time configuring the DR module to replicate data from the DR Vault.

a. Enter DR_Failback in the DR user with password ‘Cyberark1’.

b. Enter the DR Vaults IP Address.

2. After the server restart, review the PADR.LOG to verify that the Primary Vault has replicated all
the changes from the DR Vault.

CyberArk University Exercise Guide Page 136

3. On the Primary Vault Server edit the PADR.ini file.

a. Set EnableFailover=No

b. Add the following line: ActivateManualFailover=Yes

c. Save the file and exit.

4. Restart the ‘CyberArk Disaster Recovery’ Service on the Primary Server. The service should start
and stop immediately (because of the “ActivateManualFailover” parameter), then the ‘PrivateArk
Server’ service should start. Verify that the PrivateArk Server service has started successfully on
the Primary Vault server.

CyberArk University Exercise Guide Page 137

a. If the PrivateArk Server service does not start automatically, start the service manually.

5. On the DR Vault server edit the PADR.ini file.

a. Change Failover mode from Yes to No.

b. Delete the last two lines (log number and timestamp of the last successful replication) in the
file

c. Save and exit the file.

6. Reset the DR user password on the Primary Vault Server using the PrivateArk Client.

7. Recreate the credential file on the DR Vault server to match the password set in the PrivateArk
Client on the Primary Vault. Check Trusted Net Areas… to ensure the DR user has not been
suspended.

CyberArk University Exercise Guide Page 138

Note: The ‘CreateCredFile.exe’ utility is in C:\Program Files (x86)\PrivateArk\PADR but the

credential file MUST be copied to the \Conf directory.

Copy the user.ini file \Conf to the root of the \PADR directory. Overwrite the file and
copy it to the \Conf directory overwriting the original file.

8. Using the Windows Services applet, stop the PrivateArk Server service and Start the CyberArk
Vault Disaster Recovery service.

9. Check the PADR log file and confirm that the replication process started and that the replication
(from the Primary Server to the DR Server) has ended succesfuly.

CyberArk University Exercise Guide Page 139

(Optional) Exercises
Adding Firewall Rules to the Vault Manually
1. Log on to the vault operating system as Administrator.
2. Open up the dbparm.ini file, add the following lines at the bottom, then save the file.

3. Open up the Privateark Server Icon and restart the Privateark Server service from there using
the red light button first, then the green light button. Watch the displayed log to make sure
you see the following message.

4. Open a command prompt window and type in the following line:

wf.msc

5. The firewall utility should show rules like these underneath the Inbound Rules section.

Logging On With the Master User

There are some cases where you will need to login to the Vault with the Master user. This can be in
case of an emergency or to give permissions to a user for safe when there are no active users with
the necessary permissions.

1. On the Vault Server edit the “C:\Program Files (x86)\PrivateArk\Server\Conf\DBParm.ini”.

2. In order to use the Master user the dbparm.ini file must point to the location of the Recovery
Private Key. By default this is the CD-ROM drive of the server. Because we do not have a CD-
ROM drive (we are using VMs for our lab exercises) you will need to point it to the relevant
location.
3. Update the “RecoveryPrvKey” parameter to point to the location of the file called
“RecPrv.key” in the Master CD folder.
a. C:\CyberArkInstallationFiles\License and Operator Keys\Master CD\RecPrv.key

CyberArk University Exercise Guide Page 140

4. Restart the Vault Service (using the PrivateArk Server console with the stop light) as any
change to the dbparm.ini file requires a restart of the service.
5. Open the Private Ark client from the Vault Server machine.
6. In the User name filed type: Master.
7. In the Password field enter the password that you selected during the installation process
(Cyberark1).
8. You should now be logged on to the Vault as the Master user.
9. What system safes do you see now that you did not see with the built in administrator user?
Note that you can see all the safes you created using the different users.

Advanced PSMP Implementation

Requirements:
1. The Customer wants to implement ADB functionality.
2. The user linuxuser01 is a member of the LinuxUsers group in LDAP.
3. Members of LinuxUsers are only allowed to login to the UNIX device with their own named accounts
using their AD credentials.
4. The Customer wants to use the PSMP to prevent end users from switching to the root01 account.

Objectives:
1. Implement ADB functionality and make sure you can log in to the UNIX device using linuxuser01 (the
user should be created ‘on the fly’).
2. Implement SSH Access Control in order to prevent linuxuser01 from performing ‘su – root01’

AD Bridge
Implementing AD Bridge to allow members of LinuxUsers to login with their AD credentials requires us
to do the following:
Preparation:

1. Login as root to the PSMP server. Execute the following commands to install the perquisite
package libssh.

cd PSM-SSHProxy-Installation/Pre-Requisites/

rpm -I libssh-0.7.7-15.x86_64.rpm (tip: enter the first few letters and press the tab key)

2. Press enter and logout.

CyberArk University Exercise Guide Page 141

3. In the PVWA, create the root02 account. This account will be used to provision accounts on the
Linux host.
a. Address = 10.0.20
b. Safe = Linux Accounts
c. Password = Cyberark1
4. Duplicate Unix via SSH and add the name “Unix via SSH with Provisioning”.
5. Activate and edit the new platform. Under UI & Workflows, Privileged Session Management, SSH
Proxy, add User Provisioning.
6. Set parameter EnableUserProvisioning to Yes. Apply your change but do not exit.

1. Set Privileged Session Management,

a. EnablePrivilegedSSO = No
b. UsePersonalPassword = Yes.
c. Apply your change but do not exit.
2. Delete the required property Username, leaving only Address.
3. Delete both Linked Accounts i.e., LogonAccount and ReconcileAccount.
4. Apply your change and exit editing ‘Unix via SSH with Provisioning’ platform.

CyberArk University Exercise Guide Page 142

5. Create safe “AD-Prov-Target-Accounts” to store the Target Machine Account.

a. Assign CPM: CPM_Unix
b. Grant LinuxUsers from ‘Cyber-Ark-Demo.Local’ Use and List access but deselect Retrieve on
the safe.

6. Add PSMP_ADB_AppUsers’ to Linux Accounts safe with default permissions. This is required to
grant the PSMP access to the [email protected] account assigned as the ‘Provisioning Account’.

Note: If the environment has Dual Control enabled so that access to root01 requires
authorization from mgr01, grant the ADB app user group the Access safe with
confirmation permission. This issue is not relevant for this lab however it is a
consideration in a production environment.

7. Create the template target machine account.

a. Store in Safe: = AD-Prov-Target-Accounts
b. Device Type: Operating System
c. Platform Name: Unix via SSH with Provisioning
d. Address: 10.0.0.20
e. Password: <blank>
f. Save the new account.
CyberArk University Exercise Guide Page 143
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and mechanical,
without the express prior written permission of Cyber-Ark® Software Ltd.
PAS Install Lab Guide

8. In Account Details (classic view) of the account just created, select tab ‘User Provisioning’.

a. Associate account ‘Root02’.

9. Open Putty and enter [email protected]@10.0.1.16 in the “Host Name (or IP address)” field
and press open.

Note: The linuxuser01 exists in Active Directory but not on the Linux target server prior to
entering the above command.

CyberArk University Exercise Guide Page 144

This page left intentionally blank!

CyberArk University Exercise Guide Page 145

PAS Install Lab Guide - v11.4
No ratings yet
PAS Install Lab Guide - v11.4
149 pages
Defender PAM - Study Guide
No ratings yet
Defender PAM - Study Guide
5 pages
13-PAS-ADMIN-Exercise Guide (v10.3) (New UI) PDF
No ratings yet
13-PAS-ADMIN-Exercise Guide (v10.3) (New UI) PDF
159 pages
VXLAN Interview Questions and Answers
No ratings yet
VXLAN Interview Questions and Answers
8 pages
CyberArk DNA User Guide
No ratings yet
CyberArk DNA User Guide
155 pages
CAU 02 Conjur - Fundamentals Installation
75% (4)
CAU 02 Conjur - Fundamentals Installation
43 pages
03ws Pas Install CPM and Pvwa
100% (1)
03ws Pas Install CPM and Pvwa
92 pages
Architectures Cyberark
75% (4)
Architectures Cyberark
4 pages
CyberArk 03-PAS-ADMIN User Management
100% (3)
CyberArk 03-PAS-ADMIN User Management
47 pages
08WS-PAS-Install-PSM Load Balancing
No ratings yet
08WS-PAS-Install-PSM Load Balancing
23 pages
Actual4Test: Actual4test - Actual Test Exam Dumps-Pass For IT Exams
No ratings yet
Actual4Test: Actual4test - Actual Test Exam Dumps-Pass For IT Exams
7 pages
CyberArk DNA Installation Guide
50% (2)
CyberArk DNA Installation Guide
18 pages
01-PAS-ADMIN Introduction
100% (2)
01-PAS-ADMIN Introduction
36 pages
CyberArk EPM Overview
100% (1)
CyberArk EPM Overview
9 pages
13WS-PAS-Install-EPV Configuration and Performance Tuning
100% (1)
13WS-PAS-Install-EPV Configuration and Performance Tuning
34 pages
04 PAS Install Integrations
No ratings yet
04 PAS Install Integrations
47 pages
Commands For Cyberark
0% (1)
Commands For Cyberark
44 pages
03_PAM-I-and-C_CPM-and-PVWA
No ratings yet
03_PAM-I-and-C_CPM-and-PVWA
85 pages
05WS PAS Install Authentication Methods
No ratings yet
05WS PAS Install Authentication Methods
51 pages
Pas Install and Configuration
67% (3)
Pas Install and Configuration
177 pages
System Monitoring
No ratings yet
System Monitoring
37 pages
CAU-EPM-CDE-Challenge-LabGuide1
No ratings yet
CAU-EPM-CDE-Challenge-LabGuide1
21 pages
Cyberark Pas: Install and Configure
No ratings yet
Cyberark Pas: Install and Configure
3 pages
00WS PAS Install Course Agenda
No ratings yet
00WS PAS Install Course Agenda
5 pages
02-PAS-Fundamentals-The Vault
No ratings yet
02-PAS-Fundamentals-The Vault
33 pages
Introduction To Core PAS
No ratings yet
Introduction To Core PAS
44 pages
03-PAM-ADMIN Policies and Platforms
No ratings yet
03-PAM-ADMIN Policies and Platforms
28 pages
CAU 04 Conjur - Fundamentals VaultSynchronizer
No ratings yet
CAU 04 Conjur - Fundamentals VaultSynchronizer
33 pages
01 PAS Essentials Overview
100% (1)
01 PAS Essentials Overview
56 pages
Cyber Ark Docks
No ratings yet
Cyber Ark Docks
10 pages
Case - 03047143
No ratings yet
Case - 03047143
4 pages
Privileged Session Management pt2
No ratings yet
Privileged Session Management pt2
25 pages
Conjur CLI Setup - CyberArk Docs
No ratings yet
Conjur CLI Setup - CyberArk Docs
3 pages
Discovery and Onboarding
No ratings yet
Discovery and Onboarding
56 pages
11 - PSM Customization For Windows Applications - Exercise Guide
No ratings yet
11 - PSM Customization For Windows Applications - Exercise Guide
30 pages
Conjur Fundamentals: Troubleshooting & Reporting
No ratings yet
Conjur Fundamentals: Troubleshooting & Reporting
23 pages
Cyber Ark
No ratings yet
Cyber Ark
2 pages
16-PAM-ADMIN Backup and Restore
No ratings yet
16-PAM-ADMIN Backup and Restore
22 pages
PVWA General Configurations Administration
No ratings yet
PVWA General Configurations Administration
5 pages
Privileged Account Security System Requirements
No ratings yet
Privileged Account Security System Requirements
69 pages
Exam CAU302: IT Certification Guaranteed, The Easy Way!
No ratings yet
Exam CAU302: IT Certification Guaranteed, The Easy Way!
14 pages
Privileged Threat Analytics
No ratings yet
Privileged Threat Analytics
36 pages
06-PAM-ADMIN Accounts-Pt2
100% (1)
06-PAM-ADMIN Accounts-Pt2
29 pages
Cyberark - Cau302.V2021-06-07.Q81: Show Answer
No ratings yet
Cyberark - Cau302.V2021-06-07.Q81: Show Answer
18 pages
Backup and Restore
0% (1)
Backup and Restore
22 pages
Vault Security
No ratings yet
Vault Security
18 pages
Cyberark: Question & Answers
No ratings yet
Cyberark: Question & Answers
4 pages
Cyber Ark Questions and Answers
100% (1)
Cyber Ark Questions and Answers
93 pages
CAU 03 Conjur - Fundamentals ConjurCLI
No ratings yet
CAU 03 Conjur - Fundamentals ConjurCLI
16 pages
Policies and Platforms
100% (1)
Policies and Platforms
24 pages
How To Configure CCP Loadbalancing
100% (1)
How To Configure CCP Loadbalancing
4 pages
Vault Internal LDAP Integration System Safe: Safe Contains The Configuration For An
No ratings yet
Vault Internal LDAP Integration System Safe: Safe Contains The Configuration For An
11 pages
Test 2
No ratings yet
Test 2
18 pages
What Is PrivateArk Vault Command Line Interface
No ratings yet
What Is PrivateArk Vault Command Line Interface
1 page
Information Security Information Security: Cyberark Administrator'S Operations Manual
No ratings yet
Information Security Information Security: Cyberark Administrator'S Operations Manual
37 pages
CyberArk Cookbook - Lesson 1a
100% (1)
CyberArk Cookbook - Lesson 1a
20 pages
CyberArk Security Fundamentals For Privileged Account Security
No ratings yet
CyberArk Security Fundamentals For Privileged Account Security
6 pages
CyberArk PAM Questions - 1
No ratings yet
CyberArk PAM Questions - 1
3 pages
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
From Everand
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
Marius Sandbu
No ratings yet
Implementing NetScaler VPX™ - Second Edition
From Everand
Implementing NetScaler VPX™ - Second Edition
Sandbu Marius
No ratings yet
Active Directory Rights Management Services A Clear and Concise Reference
From Everand
Active Directory Rights Management Services A Clear and Concise Reference
Gerardus Blokdyk
No ratings yet
Lect 7
No ratings yet
Lect 7
12 pages
MQTT Communication Protocol (PDFDrive)
No ratings yet
MQTT Communication Protocol (PDFDrive)
97 pages
RW 5510 0350
No ratings yet
RW 5510 0350
3 pages
Lab - Implement Site To Site Ipsec Vpns
No ratings yet
Lab - Implement Site To Site Ipsec Vpns
19 pages
Q and Ans For LAN1
0% (1)
Q and Ans For LAN1
5 pages
Plural Sight
No ratings yet
Plural Sight
12 pages
SOHO Router Lab: Telecommunications Laboratory
No ratings yet
SOHO Router Lab: Telecommunications Laboratory
14 pages
OpenVPN For Linux PDF
No ratings yet
OpenVPN For Linux PDF
2 pages
10.3.4 Packet Tracer Connect A Router To A Lan
No ratings yet
10.3.4 Packet Tracer Connect A Router To A Lan
4 pages
ARQ Protocols Lectures3 - 4
No ratings yet
ARQ Protocols Lectures3 - 4
28 pages
InfiMAN 2x2 3 GHZ Datasheet
No ratings yet
InfiMAN 2x2 3 GHZ Datasheet
4 pages
MQTT v2
No ratings yet
MQTT v2
63 pages
Experiment 1-5 (Nilesh)
No ratings yet
Experiment 1-5 (Nilesh)
17 pages
Netconfig Tool Oper Manual
100% (1)
Netconfig Tool Oper Manual
68 pages
Assesment 3 Answers
No ratings yet
Assesment 3 Answers
4 pages
Huawei: Question & Answers
No ratings yet
Huawei: Question & Answers
150 pages
codeium-debug-logs-2024-12-20-16-41
No ratings yet
codeium-debug-logs-2024-12-20-16-41
8 pages
CN Important Questions
No ratings yet
CN Important Questions
3 pages
NetworkHardware Lesson Plan
No ratings yet
NetworkHardware Lesson Plan
7 pages
An IPv4 Address Looks Like
No ratings yet
An IPv4 Address Looks Like
18 pages
Pic Mini Web
100% (4)
Pic Mini Web
1 page
IoT Syllabus (E-Next - In)
No ratings yet
IoT Syllabus (E-Next - In)
2 pages
Web_Services_Quiz_Answers
No ratings yet
Web_Services_Quiz_Answers
4 pages
HF5111B User ManualV1.2 (20190416)
No ratings yet
HF5111B User ManualV1.2 (20190416)
13 pages
Basic Networking Concepts
No ratings yet
Basic Networking Concepts
30 pages
Carrier Grade NAT Configuration Guide: Global Cache
No ratings yet
Carrier Grade NAT Configuration Guide: Global Cache
9 pages
CA - Ex - S2M10 - Link-State Routing Protocol - PPT (Compatibility Mode)
No ratings yet
CA - Ex - S2M10 - Link-State Routing Protocol - PPT (Compatibility Mode)
34 pages
Elfiq Link Balancer Quick Web Guide v1 1
100% (1)
Elfiq Link Balancer Quick Web Guide v1 1
39 pages
SOLIDserver API Reference REST 8.0
No ratings yet
SOLIDserver API Reference REST 8.0
1,089 pages