Latest Posts

CyberArk PAS Install and Configure Lab - v10.9


Scenario
CyberArk Demo Inc. (“the Customer”) has just purchased CyberArk’s Privileged Account Security (PAS). This document details the Customer’s specific requirements regarding the use of PAS in their environment:



You are required to install and implement the PAS solution to support the customer’s specific requirements. You will be given access to CyberArk’s documentation in order to complete your task. You may use the detailed installation guide provided by the trainer or the formal CyberArk installation guide. The Installation guide provided by the trainer should be used in the training environment only. For production deployments use CyberArk published documentation for the version you are installing.


You have been assigned the responsibility to assist a customer to install and configure the CyberArk Privileged Access Security suite. The Customer has purchased CyberArk’s EPV solution to protect and manage their privileged accounts. End users are required to authenticate to CyberArk using two factor authentication.


In the following sections you will be required to:
1. Install a standalone Vault
2. Install 2 CPM Servers (one for managing Windows accounts and one for managing Unix and Oracle)
3. Install 2 PVWA Servers (Load Balanced, and configured for automatic failover to the DR vault)
4. Install 2 PSM Servers in a Load Balanced configuration
5. Install 1 PSMP Server
6. Install the Disaster Recovery and Vault Backup components
7. Integrate CyberArk with the Customer’s LDAP, SMTP and SIEM solutions
8. Implement 2 Factor Authentication
9. Test the PAS EPV implementation. Add test accounts on the following target systems; Windows Domain, Windows Server, Linux and Oracle and execute password management and PSM operations.


Contents
SCENARIO .............................................................................................................................................................. 10
EPV INSTRUCTIONS ................................................................................................................................................ 11
VAULT INSTALLATION ............................................................................................................................................ 12
BEFORE INSTALLATION .............................................................................................................................................. 12
VAULT SERVER INSTALLATION..................................................................................................................................... 15
PRIVATEARK CLIENT INSTALLATION .............................................................................................................................. 23
POST VAULT INSTALLATION ....................................................................................................................................... 26
INSTALL PASSWORD VAULT WEB ACCESS .............................................................................................................. 27
INSTALL IIS PRE-REQUISITE SOFTWARE USING AUTOMATIC PREREQUISITES SCRIPT .................................................................. 27
REQUIRE HTTP OVER SSL (PVWA) ............................................................................................................................ 29
INSTALL PVWA ...................................................................................................................................................... 29
HARDENING THE CYBERARK PVWA SERVERS ................................................................................................................ 32
CONFIGURE IIS REDIRECTION ..................................................................................................................................... 34
TEST PVWA LOAD BALANCING .................................................................................................................................. 36
INSTALL CPM (DISTRIBUTED) ................................................................................................................................. 37
INSTALL 1ST CPM .................................................................................................................................................... 37
INSTALL THE PRIVATEARK CLIENT ON THE COMPONENT SERVER.......................................................................................... 41
POST CPM INSTALLATION ......................................................................................................................................... 41
INSTALL 2ND CPM.................................................................................................................................................... 41
POST CPM INSTALLATION ......................................................................................................................................... 42
INSTALL THE PRIVATEARK CLIENT ON THE COMP01B SERVER............................................................................................. 43
RENAME 1ST CPM ................................................................................................................................................... 43
UPDATE THE NAME OF THE CPM IN THE PVWA............................................................................................................. 46
HARDEN THE CPM SERVER ........................................................................................................................................ 46
INTEGRATIONS ....................................................................................................................................................... 48
LDAP AUTHENTICATION (OVER SSL) ........................................................................................................................... 48
SMTP INTEGRATION ................................................................................................................................................ 53
SIEM INTEGRATION ................................................................................................................................................. 56
NTP INTEGRATION .................................................................................................................................................. 59
AUTHENTICATION TYPES ....................................................................................................................................... 62
RADIUS AUTHENTICATION ....................................................................................................................................... 62
PKI AUTHENTICATION .............................................................................................................................................. 68
TWO FACTOR AUTHENTICATION (2FA) ........................................................................................................................ 72
EPV TESTING AND VALIDATION ............................................................................................................................. 73
ADD WINDOWS DOMAIN ACCOUNT ............................................................................................................................ 73
ADD WINDOWS SERVER LOCAL ACCOUNT..................................................................................................................... 73
ADD LINUX ROOT ACCOUNT ...................................................................................................................................... 74
ADD ORACLE DATABASE ACCOUNT.............................................................................................................................. 74
Privileged Account Security Install & Configure, v10.9
CyberArk University Exercise Guide Page 2
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and mechanical,
without the express prior written permission of Cyber-Ark® Software Ltd.
INSTALL PSM/PSMP ............................................................................................................................................... 76
INSTALL A STANDALONE PSM INSTALLATION ........................................................................................................ 77
PSM INSTALLATION PREREQUISITES ............................................................................................................................ 77
PSM INSTALLATION ................................................................................................................................................. 80
PSM POST INSTALLATION ......................................................................................................................................... 83
PSM HARDENING ................................................................................................................................................... 84
PSM TESTING AND VALIDATION ................................................................................................................................. 86
LOAD BALANCED PSM SERVERS ............................................................................................................................. 89
CONFIGURE PSM LOAD BALANCING ............................................................................................................................ 89
PSM FOR SSH INSTALLATION ................................................................................................................................. 92
SECURING CYBERARK ............................................................................................................................................. 98
LOCK DOWN A USER’S INTERFACE ............................................................................................................................... 98
USE RDP OVER SSL ................................................................................................................................................. 99
MANAGE LDAP BINDACCOUNT ............................................................................................................................... 104
MANAGE PSMCONNECT/PSMADMINCONNECT USING THE CPM ................................................................................... 105
MANAGE CYBERARK ADMINISTRATOR ACCOUNT USING THE CPM ................................................................................... 109
CONNECT WITH PSM-PRIVATEARK CLIENT ................................................................................................................. 110
CONNECT USING PSM-PVWA-CHROME ................................................................................................................... 113
BACKUP ................................................................................................................................................................ 116
ENABLE THE BACKUP AND DR USERS ......................................................................................................................... 116
INSTALL THE PRIVATEARK REPLICATOR COMPONENT ..................................................................................................... 119
TESTING THE BACKUP/RESTORE PROCESS ................................................................................................................... 123
DISASTER RECOVERY............................................................................................................................................ 126
INSTALL THE DISASTER RECOVERY MODULE ................................................................................................................. 126
VALIDATE THE REPLICATION WAS SUCCESSFUL .............................................................................................................. 129
EXECUTE AUTOMATIC FAILOVER TEST ........................................................................................................................ 130
EXECUTE FAILBACK PROCEDURE USING MANUAL FAILOVER ............................................................................................ 132
(OPTIONAL) EXERCISES ........................................................................................................................................ 137
ADVANCED PSMP IMPLEMENTATIONS ................................................................................................................ 138
ADDING FIREWALL RULES TO THE VAULT MANUALLY ......................................................................................... 142



No comments