CyberArk PAS Configuration Issues and Troubleshooting (CPM) - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, June 7, 2020

CyberArk PAS Configuration Issues and Troubleshooting (CPM)

Collected some issues I met during working on CPM.
  • Safe not found
  • CPM Password Rotating Policy Not Working
  • CPM Change Password Failed
  • Use Reconcile Account to Change Password
  • Public Website Password Change / Verification Issue

Related posts:

CPM vault.ini

For high availability, you might have two Vaults. One is at Primary site and second is at DR. We can add both vault ip addresses into vault.ini for PVWA and PSM. But in any chance, your CPM is only can configured to one Vault if you have multiple CPMs. 

That is to keep only following situation not happening. Two CPMs are writing to one Vault at the same time. 


Safe not found

CACPM177E Error while creating extra passwords section -Safe not found

Usually it is caused because there is no CPM server assigned for this Safe.

Master Policy Rotating Password Not Working

Master Policy has set "Require password change every X days", but the password was not changed automatically. The platform also need to set PerformPeriodicChange to Yes.
same thing on verification. 

Here are some settings for daily rotation at assigned time:
1. created exception on master policy to let the password expire every 2 days and set HeadStartInterval value to 1 day. So CPM can change password everyday. 2. set PasswordChange-> ExecutionDays-> Sun,Mon,Tue,Wed,Thu,Fri,Sat 3. set PerformPeriodicChange to yes 4. set FromHour to 1 hour (1:00 AM) 
5. set ToHour to 3 hour (3:00AM)
 6. set interval to 59 minutes ((Range in minutes [ToHour-FromHour] / 2) -1)



Or based on kb : https://cyberark-customers.force.com/s/article/CPM-Password-Not-Rotating-Daily
The password should change between the hours of 23:00 and 24:00, daily. The Master policy "Require password change every X day" is set to 1 day.
1. HeadStartInterval
- This should be less than the ExpirationPeriod / Require password change every X days. In the example of the password rotating daily, this should be set to 0.
2. PerformPeriodicChange
- As this allows the account to be managed by the Master Policy "Require password change every X days". In the example where "Require password change every X days" is set to 1, this should be set to Yes.
3. Interval (The number of minutes that the Central Policy Manager waits between running periodic searches for the platform. Default is 1440 minutes = 24 hours)
- To help facilitate the change happening, we typically recommend using the formula of ((window/2)-1). In the example where 'FromHour'=23 and 'ToHour'=24 (1-hour window or 60 minutes), then the 'Interval' setting for that policy file should be ((window/2)-1) which is ((60 minutes/2)-1) = (30-1) = 29. The Interval should be set to 29.



CPM Change Password Failed

ExpirationPeriod
Failure Description: Error in changepass to user 51sec.org\testAdmin on domain 51sec.org(\\51secSRV11).(winRc=2245) The password does not meet the password policy requirements
Check the minimum password length
password complexity and password history requirements
CPM



Group policy limited password minimum change time is 24 hours.


Use Reconcile Account to Change Password

Is there a way for cpm password change process to use reconcile account to change password?

Answer: Yes it can. If you talk about windows account then you need to set the parameter Changepassword in reset mode to yes. I don’t think you need to set any parameter for Linux account.




Public Website Password Change / Verification Issue

I found this question published on Reddit and thought it is helpful for my work.
I created a Twitter account that does not have MFA enabled
  • Restarted CyberArk Password Manager windows service on the CPM server
  • Created a clone of the Twitter - CPM platform
Edited the platform settings:
  • Automatic Password Management --> Additional Policy Settings --> Parameters --> DriverFolder Value= correct path to the Selenium driver
  • Automatic Password Management --> Additional Policy Settings --> Parameters --> BrowserPath Value= correct path to Chrome.exe
  • Added Twitter account using the cloned platform and correct password for account
  • Within the Required Properties was Address: I was unsure what to put there so i used https://twitter.com
  • Attempted to verify the password and receive the error message below:
CACPM344E Verifying Password Safe: Secret-Squirrel, Folder: Root, Object: Website-TWITTER-httpstwitter.comlogin-Rocky failed (try #3). Code: 9307, Error: Execution error. Verify process failed - Timeout error. Failed to find element '//*[@id="react-root"]/div/div/div[1]/main/div/div/form/div/div[3]/div/div' in page. Refer to the log for more information. Error code:9307 The CPM is trying to verify this password because its status matches the following search criteria: ResetImmediately,Failure.
I looked up CACPM344E in the CyberArk Messages and Responses guide. It seems like a very generic answer and states to check the specific error message (Code: 9307). There is no mention of 9307 in the CyberArk Messages and Responses guide nor in the support portal that i found. I opened a case with CyberArk, but i was wondering if anyone has experienced this.

================
Answer from Reddit:
Twitter probably changed their login page and now it's looking for a field that's named differently, etc. This is the problem with CPM plugins for public facing websites not under your control - Designs will change and every time they do it will break your CyberArk plugins
















No comments:

Post a Comment