Comments

Latest Posts

CyberArk 12.1 Lab - 2. Vault Installation

 This post summarizes some steps to install vault.




Diagram




System Requirements

Refer to this doc:



OS: 2019. 2016 (Preferred by installation guide), 2012 (Special requirements)
Application: Multi-language, Certificate, HSM, LDAP, Cipher suites for Syslog, SMTP over SSL
Protocols: RDP 



5 2 Operator CD and 2 Master CD, License File
For this lab, copy installation software, Operator CD and Master CD, and license file to vault server. 



Architecture 

Primary-DR Environment:

Distributed Vaults (Active - Active)



Digital Cluster Vault Server:




Installation Prerequisite

1 Clean installation of Windows 2016 standard. Update windows system to latest with all patches. 



2 Remove Unnecessary network components and only Internet Protocol Version 4 (TCP/IPv4) left in Local Area Connection Properties -Networking

Remove DNS settings to avoid some compromised DNS server attack. Also if there is no outbound traffic from other network, you can take out default gateway configuration. But if you have DR site, you need to have a default gateway filled in. For my basic lab, all machines are in same network. 

Remove / Disable LMHOSTS lookup and NetBIOS over TCP/IP

3 Installation files
  • CyberArk Vault server and Disaster Recovery software packages
  • Master folder
  • Operator folder
  • License file

4 Software requirements

Installation Steps

 

1 Start installation CyberArk Digital Vault server and client

Further steps can use my previous posts as reference:
Or here is the detail steps from CyberArk doc:
  1. If you don't currently need a Distributed Vaults environment but are likely to migrate to this architecture, select the check box.

     

    If you want to install RabbitMQ after the Vault is already installed, you must upgrade or install again on a clean machine.

    Click Next.

  2. In the Vault Server Machine Hardening window, click Next.

     
    • Don't select the check box to skip hardening without first confirming with your CyberArk support representative.

    • The server hardening can't be reversed.

     
    • In rare cases, due to Windows services timing issues, the automatic hardening procedure might complete with errors. If it does, retry the hardening. If the automatic hardening does not succeed the second time, contact your CyberArk support representative.
    • When installing on Windows Server 2016, Japanese edition, the hardening stage of the installation may seem to complete with failures. See Troubleshooting Installation for details.
  3. In the Select Program Folder window, specify the name of the folder where the server files will be stored.

    • In the Program Folders field, enter a name for the CyberArk Vault folder inside the Windows Programs folder, then click Next,

    or,

    • Click Next to accept the default name.

  4. In the Set Built-in Users Passwords window, type the passwords for the built-in Master user and Administrator user.
 

The Master user is a break-glass account, and the Administrator user has extensive privileges in the system, and should have complex passwords with a mixture of numeric and mixed case characters. By default, the password must contain at least one numeric character and 5 mixed case characters.

  • Type the Master user’s password, then type it again to confirm.

  • Type the Administrator user’s password, then type it again to confirm.

Click Next.

5. When the Setup Complete window appears, review the Server\Logs\VaultConfiguration.log file for any warnings. If there are any warnings, see Troubleshooting Installation.

Select No, I will restart my computer later, then click Finish .That is for installing PrivateArk Client. 



Make sure the vault server has same time with other CyberArk servers. You can use your DC as your NTP servers, which is also default NTP server for all your domain joined machine. 

a. In C:\Program Files\PrivateArk\Server\DBParm.ini, set the following parameter:
 
AllowNonStandardFWAddresses=[X.X.X.X,Y.Y.Y.Y,Z.Z.Z.Z],Yes,123:outbound/udp

Where X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z and so on are the Time Server IP addresses and port 123 is the Windows Time port.

b.Restart the Vault application using the Private-Ark Central Administration Console (the PrivateArk Server icon on the desktop).


Verification

 
1 Verify six new services. 
After hardening, total running service number has been reduced 31. 

Check that the following services have been installed and started:

  • PrivateArk Database

  • PrivateArk Server

  • CyberArk Logic Container

  • Cyber-Ark Event Notification Engine


2 Verify Vault status using Server Central Administration GUI

Check that the CyberArk Digital Vault started successfully.



3 Check Configuration and log files
Server\Conf
Server\Logs

4 Log into Vault to verify safes



HSM Integration

 Contact support for further professional support. 








Multiple Vaults 



1 Verify network access between the Vaults for replication, failover, and failback

Network access to port 1858 is required between all Vaults. Run the following Powershell command from each Vault to all of your other Vaults:

  •  
    Test-NetConnection <IP Address> -port 1858 | findstr "TcpTestSucceeded"



2 Primary - DR Vault implementation

  • Install DR application on Primary vault server
  1. Right-click Setup.exe, then select Run as Administrator.

    The DR Vault wizard starts automatically and the CyberArk Installation window is displayed.

    Click Next.

     
    • You can exit the Disaster Recovery application installation at any time by clicking Cancel.

    • You can return to the previous installation window by clicking Back, where applicable.

  2. Read and accept the terms of the license agreement.

    Click Yes.

  3. Enter your user information:

    1. In the Name field, enter your first and last name.

    2. In the Company field, enter the name of your organization.

    Click Next.

  4. Select the folder on the server in which the DR Vault files will be located.

    Click Next to accept the default location

    or,

    Click Browse to select another location, and then click Next to proceed to the next step of the installation.

  5. Enter the user name and password that you created for the DR Vault.

     

    You must create a unique DR user for each Vault (the Primary Vault server and DR Vault server must have different user names).

    The DR user contains a credentials file with the specified user name and an encrypted version of the specified password. For more information about DR users, see Disaster Recovery Users.

    Click Next.

  6. Specify the IP address and the port of the Primary Vault.

    Click Next.

  7. Click Yes, I want to restart my computer now.

  8. Click Finish to complete the setup and restart the machine.


  • Install Vault Server / Client and DR application on DR vault server






3 Distributed Vault Implementation

Complicated and lots of extra steps with strict order to install / configure based on this CyberArk Doc.

Perform the PVWA installation against the Primary Vault. For details, see Install PVWA.

In a Distributed Vaults environment, first install all PVWAs against the Primary Vault, and then configure those PVWAs that will work against the Satellite Vault, as described in Configure a list of prioritized Vaults in Distributed Vaults environment for CyberArk clients.

You must install PVWA and CPM according to the following order. First, install all PVWAs that will be connected to the Primary Vault, then all CPMs, and only then install all PVWAs that, after the installation against the Primary Vault, will be configured to work against the Satellite Vault.







No comments