CyberArk Automatic Account Management (CPM) Configuration

CyberArk CPM stands for Central Policy Manager. It is a self-hosted component of CyberArk that simplifies the password storage process and provides mature identity control features. The Central Policy Manager (CPM) is a Privileged Access Manager - Self-Hosted component and does not require a dedicated machine. However, it must be installed on a machine that is accessible to the network. For specific system requirements of the different plug-ins of the Central Policy Manager, see Central Policy Manager. CyberArk CPM offers high-level security to privileged accounts by using a one-time password management facility.

Create CPM plugins for Web applications

https://docs.cyberark.com/PrivCloud-SS/Latest/en/Content/Plugins/CPM_WebApplication.htm#Supportedbrowsers

Step 1: Create a user profile or user to run a browser

Depending on the type of environment that you have, hardened or non-hardened, to run a browser you must either create a user profile for the PluginManagerUser account or create a new local user.

When using PluginManagerUser in a hardened environment, it is necessary for PluginManagerUser to have a profile. CyberArk provides a Powershell script in the installation folder that creates a new profile folder to host the PluginManagerUser profile. This enables browsers to run on hardened CPM environments.

• In a PowerShell window, in the CPM bin folder where the extracted CreateUserProfile.ps1 file is located, run the CreateUserProfile.ps1 script as an Administrator:

  1. Enter Import-Module .\CreateUserProfile.ps1

  2. Enter Create-NewProfile "PluginManagerUser"

Step 2: Add webform fields

Use webform fields to interact with DOM elements that support web actions or create conditional statements that enable you to create blocks of webform field actions.

• Single webform field command usage
• Webform field if-else conditional statements

Single webform field commands enable you to interact with DOM elements that support web actions such as input, focus on elements, iFrame, redirect and validation.

Specify the information listed below in the webform fields. Add the fields in a list of rows, using the following format:

Input field

Click

Validation

Frame

Redirect

Failure Scenarios

Generate MFA code

Example 1

Example 2: For a site using iFrame

Example 3: For generating an MFA code

Step 3: Test the plugin

Before you integrate the plugin into a Privilege Cloud environment for an end-to-end test, you can invoke the new plugin manually. This enables you to test the plugin more easily and quickly.

Before you begin testing the plugin, review the Prerequisites.

Create a user.ini file to simulate parameters

To simulate the parameters sent to the plugin by the CPM, create a user.ini file in the format described in the following sections.

Enable/Disable Automatic Account Management

All passwords must be handled through the PVWA interface to ensure that the passwords on remote devices must be synchronized with the corresponding passwords in the Password Vault. However, if a password on the remote device is changed manually and not through the PVWA, it is no longer synchronized with its corresponding password in the Vault, and it becomes unavailable. Whenever this happens, it is essential for the relevant personnel to be alerted as soon as possible so that they can identify the unsynchronized password and regain control over the remote device.

Change Passwords

The password change processes determine how frequently passwords are changed and how the changes are initiated.  Authorized users can change passwords that are stored in the Safe through the
Password Vault Web Access. These passwords can be changed manually or replaced by a new password that is randomly generated by the Central Policy Manager. The CPM generates unique and highly secure passwords using the password policy and the random password generation mechanism. Therefore, passwords that are managed by the CPM do not need to be specified manually.

• Initiating password change process automatically (before the expiration period elapses)

The CPM can initiate a password change process before the scheduled time that is specified in a platform. The HeadStartInterval parameter determines the number of days before the account’s expiration that the CPM will initiate a password change process. If, for any reason, a password cannot be changed, the policy is not violated, and there is time to resolve any potential problems.

• Immediate password change

You can change one or more passwords immediately in the PVWA, regardless of whether they have been used or reached their expiration period. This is based on the ImmediateInterval parameter in the applied platform. 

• Manual or Automatic check-in (exclusive and one time account mode)

When the Master Policy enforces check-in/check-out exclusive access, passwords are changed when the user clicks the Release button and releases the account. This is based on the ImmediateInterval parameter in the applied platform. If the user forgets to release the account, it is automatically released and changed by the CPM after a predetermined number of minutes, defined in the MinValidityPeriod parameter specified in the platform.

• One-time account (without exclusive mode)

When the Master Policy enforces one-time password access, passwords are used once, and then changed by the CPM after a predetermined number of minutes, defined in the MinValidityPeriod parameter specified in the platform.

Verify Passwords

The password verification processes determine how frequently passwords are verified and how the verification is initiated. The CPM can verify password content on remote devices to ensure that they are synchronized with corresponding passwords in the Password Vault, and are valid and up-to-date. This process can either be managed automatically by the CPM or manually by an authorized user. If the password on the remote machine is not synchronized with the password in the Vault, the CPM alerts the user and can start a reconciliation process to synchronize the passwords.

• Initiating password verification manually

Password verification processes can be initiated manually by users in the PVWA on passwords marked with the VFAllowManualVerification parameter.

• Verifying passwords automatically

The CPM will automatically start a password verification process on passwords marked with the VFPerformPeriodic Verification parameter, according to the number of days specified in the VFVerification Period parameter. Automatic password verification is determined by the following: 

■ The Master Policy defines how frequently passwords will be verified. 

■ Platform settings applied to the account determine how verification is initiated and the hours during which the verification process will take place. 

Password verification is entirely independent of the password change process, which is configured separately.

Reconcile Passwords

The password reconciliation processes determine how frequently passwords are reconciled and how the reconciliation is initiated.  Passwords in the Vault must be synchronized with corresponding passwords on remote devices to ensure that they are constantly available. Therefore, the CPM runs a verification process to check that passwords are synchronized. If the verification process discovers passwords that are not synchronized with their corresponding password in the Vault, the CPM can reset both passwords and reconcile them. This ensures that the passwords are resynchronized automatically, without any manual intervention. The platform contains rules that determine whether automatic reconciliation will take place when a password is detected as unsynchronized, or whether it is launched only through a manual operation by an end user/system admin. A reconciliation account password that will be used to reset the unsynchronized password can be defined either in the platform or at account level. This account can be stored in a separate Safe, where it is only accessible to the CPM for reconciliation purposes. During password verification, the CPM plug-ins return a list of predefined errors to the CPM. Each platform specifies the specific errors that will launch a reconciliation process for passwords linked to that platform. This enables each enterprise to specify its own prompts for reconciling passwords and gives maximum flexibility to individual needs. During password reconciliation, the unsynchronized password is replaced in the Vault and on the remote device with a new password that is generated according to the relevant platform. As soon as reconciliation is finished successfully, all standard verifications and changes can be carried out as usual. Users can see details of the last reconciliation process in the Operational Views in the Accounts List.

Define a reconciliation password at either of the following levels:
■ Platform – All accounts attached to a specific platform will use the reconciliation account password specified in the platform.
■ Account – A reconciliation account password can be defined at account level and will override the account specified in the platform.

My best practice: You should have created a new safe and a new reconciliation account . And keep this account separate and treat it similar to the default accounts present in the internal vault thereby not touching it. This account has automatic password management enabled for monthly rotate password outside the schedule of other accounts.

• Initiating password reconciliation manually

Password reconciliation processes can be initiated manually by users in the PVWA on passwords marked with the RCAllowManualReconciliation parameter.

• Synchronizing passwords automatically

The CPM will automatically reconcile passwords marked with the RCAutomatic ReconcileWhenUnsynched parameter after it detects a password on a remote machine that is not synchronized with its corresponding password in the Vault.

• Automatic reconciliation process

A reconciliation process will be launched automatically in response to the CPM plugin error codes that are represented in the RCReconcileReasons parameter.