CyberArk PAS (Vault PrivateArk Server and Client) Installation - Part 1 - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, April 12, 2020

CyberArk PAS (Vault PrivateArk Server and Client) Installation - Part 1

The Digital Vault, also referred to as the Password Vault, is the secure location where your passwords and sensitive data can be stored. The Vault is designed to be installed on a dedicated computer, for complete data isolation. It is packed with state‑of‑the‑art security technology, and is already configured and ready‑to‑use upon installation. This means that the security system does not require any security expertise or complicated configuration to operate at peak capacity.

The Vault tracks access to every password that it stores, and provides a central repository for detailed auditing information.


Make sure OS and hardware requirements meet the CyberArk Docs recommendation.

EPV = Digital Vault + PVWA + CPM
PAS = EPV + PSM
Related Posts:


Enterprise Password Vault Solution (Vault)
For the vaults (details are in separate post):
-        Install Windows 2012 R2 or Windows 2016
-        Install at least .NET Framework 4.6.2 (if that or a greater version not already included)
-        DO NOT join it to the domain
-        Install all the latest Windows OS patches
-        Remove all protocols and services from the network card except TCP/IP version 4
-        The rest is performed during the install

Digital Vault Server Installation:

Support Platforms:
  • The Digital Vault server requires an Intel Pentium IV (or compatible) processor or later.
  • Support Windows 2016 and Windows 2012 R2
Software requirements:
  • .NET Framework 4.5.2 (It will be installed automatically once you started setup.exe installation wizzard). Reboot will be required.
Installation Steps:

  1. On the Vault machine, create a new folder and copy the contents of the installation package to it.
There will be three folders. One for Server, one for client, and the third one for high availability DR. 
  1. Display the contents of the Server folder, then start the installation procedure:
    Double-click Setup.exe
    or,
    On systems that are UAC-enabled, right-click Setup.exe, then select Run as Administrator.
    The Vault installation wizard appears and displays a list of required features that it will install on your computer before it can install the Digital Vault
  2. Click Install to begin the installation process; the installation process begins and the PrivateArk Server Setup window appears,
  3. Select Installation Locations. 
  4. Installation
    • Select Skip Remote Control Agent Configuration to proceed to the next step of the installation procedure without configuring the Remote Control Agent,
      • If you skipped Remote Contral Agent Configuration here , and later you want it to be enabled, you might need to go through lots of steps to bring t back. Strongly suggest you choose it now 
    • To install RabbitMQ, select the checkbox, then click Next, to proceed to the next step of the installation.
    • This step of the installation hardens the Vault machine.
      • Hardening can be done later.
    • To confirm that the Vault hardening procedure will be run as part of the installation, click Next,
    • This step of the installation enables you to specify the name of the folder where the Server files will be stored,
  5. Setup Passwords
    • The next step of the installation prompts you for passwords for the built-in Master user and Administrator user
    • Type the Master user’s password, then type it again to confirm.
    • Type the Administrator user’s password, then type it again to confirm
    • Select Yes, I want to restart my computer now, then click Finish to restart your computer.
    • You also can choose no, and after installed PrivateArk client then do restart.
    • The installation automatically updates your Windows Start menu, places a PrivateArk Server shortcut icon on the desktop, and updates the computer registry information. If you configured the Remote Control Agent during installation, it will start automatically after you restart your computer.
  6. Create a new Local User for the Logic Container Service
    • CyberArk has created a script that covers all the manual steps described below for all versions.
    • The LogicContainerUserConfiguration.ps1 script can be downloaded from the CD image.
    • To run the script, copy it to the Vault server and run it either by double-clicking the script or by opening PowerShell and running the script.
    • The script creates a log file next to it detailing all the steps done.

After completed Vault Server installation, you will find there are three built-in Safes in the vault and located at c:\PrivateArk folder:
1. Notification Engine
2. System
3. VaultInternal.

There are 8 built-in users and 6 built-in groups as show below.


Manual Hardening

1. From a command line, run an elevated cmd.exe prompt and navigate to the \Hardening folder. 
2. Run the following command: 
CAVaultHarden.exe StandAloneVault "[Full Path of Current Directory]" /AllowRDP [RDP Station IP] 

For example: CAVaultHarden.exe StandAloneVault "c:\temp" /AllowRDP 192.168.2.71

The usage from CAVaultHarden.exe is complete wrong. Do not follow the usage from exe file.

PrivateArk Remote Control Agent

If PriavateArk Remote Control Agent service has been installed during vault server installation, you will have a problem to start it later.I got following error message and not sure how to resolve it.


Only thing I can think about is to remove Vault installation and reinstall it with enable Remote Control agent during installation. Not sure how I could enable it manually after installed Vault.


Test Remote Control and Admin

The Remote Control Client is a utility that runs from a command line interface and carries out tasks on a Vault component where the Remote Control Agent is installed. It does not require any Vault components to be installed on the same computer, including a PrivateArk Client.

The Remote Control utility can be used for administrative tasks on the Password Vault and the DR Vault. It contains several general commands that are the same for each component. In these commands, use the following names to specify each component:
ComponentName
Vault serverVault
Disaster Recovery VaultPADR
Event Notification EngineENE
Cluster Vault ManagerCVM








4 comments:

  1. Great article and video's you have posted. Really helps me a lot, so thank you very much for all the effort you must have put into it all.

    Kind regards,

    Gerard

    ReplyDelete
    Replies
    1. You are welcome. Also thanks for comments. It is a long journey to learn CyberArk.

      Delete
  2. Great article, thanks so very much for the efforts. Quick question, is there a Part-2 to this document? If yes, can you pls share the link?

    ReplyDelete
    Replies
    1. You can find other parts from related posts:
      CyberArk PAS (PVWA) Installation - Part 2
      CyberArk PAS (CPM) Installation - Part 3
      CyberArk PAS (PSM) Installation - Part 4
      CyberArk PAS (PTA) Installation - Part 5
      CyberArk PAS (PTA) Configuration - Part 5.1
      CyberArk PSM HTML5 Gateway Installation and Configuration - Part 6https://blog.51sec.org/logout?d=https://www.blogger.com/logout-redirect.g?blogID%3D3065805205966125044%26postID%3D318040651611400956

      Delete