Latest Posts

CyberArk PAS Configuration Notes (Architecture/LDAP,NTP,SMTP/Backup)

CyberArk is an info security company mainly dedicated to privileged account security. The CyberArk Privileged Account Security solution comprises features that secure, monitor and manages confidential accounts.
The major components used widely are following:
  • Enterprise Password Vault
  • Central Policy Manager (CPM)
  • Password Vault Web Access (PVWA)
  • Privileged Session Manager (PSM)

PAS = (Privileged Access Security)



Password Management Architecture

Session Manager Architecture

Privileged Threat Analytics Architecture
PAM Solution High Availability Design




PAS Configuration Steps

On the Domain Controller:
1. create a CyberArk Bind User -  ex. [email protected] Usually it is domain admin account
2. Define follow LDAP CyberArk groups - Cyberark mapping roles:
CyberArk Vault Admins - Vault Admins
CyberArk Safe Managers - Safe Managers
CyberArk Auditors - Auditors
CyberArk Users - Users


From PVWA Web GUI:
1. Activate PSM
2. Deactivate 'Require users to specify reason for access'
3. Integrate LDAP


On the Vault
1. Manual restart the vault service, will not start Event Notification Engine service.


LDAP Integration



Bindusername and bindpassword is the one you entered when you integrated CyberArk with your LDAP. If for some reason, you are having trouble to create a new mapping , usually there is an issue with your binding account. You can modify username / password from following configuration location:
   


Note: once your CyberArk integrated with LDAP, the LDAP integration wizard will grey out. To re-activate LDAP integration wizard, you will need to delete Administration - LDAP integration - Server configuration (eg. 51sectest.com). Also delete LDAP directory mapping from PrivateArk client.


Reconcile Account

Passwords in the Vault must be synchronized with corresponding passwords on remote devices to ensure that they are constantly available. Therefore, the CPM runs a verification process to check that passwords are synchronized. If the verification process discovers passwords that are not synchronized with their corresponding password in the Vault, the CPM can reset both passwords and reconcile them. This ensures that the passwords are resynchronized automatically, without any manual intervention.

During password reconciliation, the unsynchronized password is replaced in the Vault and on the remote device with a new password that is generated according to the relevant platform. As soon as reconciliation is finished successfully, all standard verifications and changes can be carried out as usual. Users can see details of the last reconciliation process in the Operational Views in the Accounts List.

NTP

Note: Time synchronization is critically important in CyberArk PAS architecture. Even more so when implementing the CyberArk Cluster Vault Management solution. In the following exercise we will integrate both nodes of the cluster vault with an external time source.

1. Logon as Administrator to the passive node of the cluster.
a. Using Windows File Explorer navigate to ‘C:\Program Files(x86)\PrivateArk\Server\Conf’.
2. Edit the dbparm.ini file adding the following line to the end of the file. This will create inbound and outbound firewall rules that will allow the vault to communicate to the NTP server.
[NTP]
AllowNonStandardFWAddresses=[10.0.0.2],Yes,123:outbound/udp,123:inbound/udp

3. Enable the Windows Time service using the Windows Services applet .
4. Double click “Windows Time” to display the service properties.
5. Update the Startup type to Automatic (Delayed Start) and click OK.
6. Start the Windows Time service.
7. Repeat the above procedures on the active node of the cluster before proceeding.
8. To commit the changes made to the DBParm.ini file, we must restart the PrivateArk Server service.
Note: In an HA Cluster Vault implementation, you can no longer start and stop CyberArk services through the normal interface. Services must be restarted using the ClusterVault Management or CVM interface. To restart the services, we will simply failover to the passive node to commit the changes.
9. Ensure that you are logged into the active node of the cluster. Open the CVM to determine the active and passive node. Only the active node is capable of manually executing the failover procedure.
10. Open the CVM on the active node and click the center icon with the opposing arrows to initiate the failover procedure.
11. Click Continue to confirm the switch
a. Observe the failover progress in the CVM or alternatively monitor “C:\Program Files (x86)\PrivateArk\Server\ClusterVault\ClusterVaultConsole.log”
b. The log will display the failover sequence.
12. Next, we need to set a special time skew so that, if the clock is very far off, the vault will not make too large of a system time change at once. This will force the NTP service to change every 30 minutes for the first 3 checks and then every 8 hours. This prevents triggering anti-tampering protections in the vault that could be activated by creating new audit entries that occur before existing audit entries.
13. Ensure you are working on the active node.
14. Open regedit. Browse to HKLM\System\CurrentControlSet\Services\W32Time\Parameters.
15. Add a new DWORD and name it “Period”.
a. Double click it and change the Base to decimal and make the Value data “65532”.
b. Close the Registry Editor.
16. Open an Administrative Command prompt and run the following command:
W32tm /config /manualpeerlist:10.0.0.2 /syncfromflags:manual /reliable:YES /update
17. Failover to the passive node. When failover is complete, login to the active node.
Complete steps 13 – 17 on the active node of the Cluster Vault.
18. Both nodes of the Vault Cluster are now sync’ed to an external NTP time source.


SMTP Notification









SIEM Integration / Syslog











Vault Backup Steps


Step 1: The Vault Backup utility (PAReplicate.exe) generates a metadata backup in the Vault’s Metadata Backup folder, then exports the contents of the Data folder and the contents of the Metadata Backup folder to the computer on which the Backup utility is installed.
Step 2: After the replication process is complete, the external backup application copies all the files from the replicated Data folder and the Metadata folder.
Keep the replicated files on the Backup utility machine after the external backup application copies all the files. The next time you run the Backup utility to the same location, it will update only the modified files and reduce the time of the replication.

CMD Backup


Script:

@echo off
cd "c:\Program Files (x86)\PrivateArk\Replicate"
echo %date% %time% Start of task > ReplicateBatch.log
echo User=%UserName%, Path=%path% >> ReplicateBatch.log
PAReplicate.exe Vault.ini /logonfromfile user.ini /fullbackup 1>> ReplicateBatch.log 2>> ReplicateBatch.err
echo %date% %time% End of task >> ReplicateBatch.log

Scheduled Job:
  • Runas Local System (run with highest privileges set)
  • Program/script: "c:\Program Files (x86)\PrivateArk\Replicate\PAReplicate.exe"
  • Add arguments: vault.ini /logonfromfile user.ini /fullbackup
  • Start in: c:\Program Files (x86)\PrivateArk\Replicate



Key Features of Core PAS


Standard Core PAS Componets


RDP Traffic Flow



Vault, Components and Clients








References:


2 comments:

  1. Thank you! Cyberark doesn't look unpolished. However, it still has some issues.

    ReplyDelete
    Replies
    1. Hi Roland, it does what it can do. Understanding how those components (PVWA, CPM, PSM, Vault Server, Vault Client) whoring together is important before implement it, especially before rolling out to your production environment. I am still testing lots of other features, such as html5 gateway, psmp, integrating with other applications and databases. It looks promising based on CyberArk website, but it does need a good engineer behind it.

      Delete