Latest Posts

CyberArk Automatic Account Management (CPM) Configuration

Enable/Disable Automatic Account Management

All passwords must be handled through the PVWA interface to ensure that the passwords on remote devices must be synchronized with the corresponding passwords in the Password Vault. However, if a password on the remote device is changed manually and not through the PVWA, it is no longer synchronized with its corresponding password in the Vault, and it becomes unavailable. Whenever this happens, it is essential for the relevant personnel to be alerted as soon as possible so that they can identify the unsynchronized password and regain control over the remote device.

Change Passwords

The password change processes determine how frequently passwords are changed and how the changes are initiated.  Authorized users can change passwords that are stored in the Safe through the
Password Vault Web Access. These passwords can be changed manually or replaced by a new password that is randomly generated by the Central Policy Manager. The CPM generates unique and highly secure passwords using the password policy and the random password generation mechanism. Therefore, passwords that are managed by the CPM do not need to be specified manually.

  • Initiating password change process automatically (before the expiration period elapses)

The CPM can initiate a password change process before the scheduled time that is specified in a platform. The HeadStartInterval parameter determines the number of days before the account’s expiration that the CPM will initiate a password change process. If, for any reason, a password cannot be changed, the policy is not violated, and there is time to resolve any potential problems.

Verify Passwords

The password verification processes determine how frequently passwords are verified and how the verification is initiated. The CPM can verify password content on remote devices to ensure that they are synchronized with corresponding passwords in the Password Vault, and are valid and up-to-date. This process can either be managed automatically by the CPM or manually by an authorized user. If the password on the remote machine is not synchronized with the password in the Vault, the CPM alerts the user and can start a reconciliation process to synchronize the passwords.

Reconcile Passwords

The password reconciliation processes determine how frequently passwords are reconciled and how the reconciliation is initiated.  Passwords in the Vault must be synchronized with corresponding passwords on remote devices to ensure that they are constantly available. Therefore, the CPM runs a verification process to check that passwords are synchronized. If the verification process discovers passwords that are not synchronized with their corresponding password in the Vault, the CPM can reset both passwords and reconcile them. This ensures that the passwords are resynchronized automatically, without any manual intervention. The platform contains rules that determine whether automatic reconciliation will take place when a password is detected as unsynchronized, or whether it is launched only through a manual operation by an end user/system admin. A reconciliation account password that will be used to reset the unsynchronized password can be defined either in the platform or at account level. This account can be stored in a separate Safe, where it is only accessible to the CPM for reconciliation purposes. During password verification, the CPM plug-ins return a list of predefined errors to the CPM. Each platform specifies the specific errors that will launch a reconciliation process for passwords linked to that platform. This enables each enterprise to specify its own prompts for reconciling passwords and gives maximum flexibility to individual needs. During password reconciliation, the unsynchronized password is replaced in the Vault and on the remote device with a new password that is generated according to the relevant platform. As soon as reconciliation is finished successfully, all standard verifications and changes can be carried out as usual. Users can see details of the last reconciliation process in the Operational Views in the Accounts List.

Define a reconciliation password at either of the following levels:
■ Platform – All accounts attached to a specific platform will use the reconciliation account password specified in the platform.
■ Account – A reconciliation account password can be defined at account level and will override the account specified in the platform.

My best practice: You should have created a new safe and a new reconciliation account . And keep this account separate and treat it similar to the default accounts present in the internal vault thereby not touching it. This account has automatic password management enabled for monthly rotate password outside the schedule of other accounts.

No comments