CyberArk 12.1 Lab - 4. CPM Installation - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, June 21, 2022

CyberArk 12.1 Lab - 4. CPM Installation

This post summarizes some steps to install CPM (Central Policy Manager).



Diagram






System Requirements

Refer to this doc and Install CPM:



OS: 2019. 2016 (Preferred by installation guide), 2012 (Special requirements)
Application: Multi-language, Certificate, HSM, LDAP, Cipher suites for Syslog, SMTP over SSL
Protocols: RDP 




CPM should place to location close to the end targets, such as servers or applications. 



5 Enable a secure channel between CPM and PVWA server, if your CPM is going to be installed on a different server from PVWA.


Architecture 

Active - Passive



Active - Active














Installation Prerequisite

1 Clean installation of Windows 2016 standard. Update windows system to latest with all patches. 


2 Software requirements
3 Run the CPM server prerequisites script

The CPM_PreInstallation.ps1 script automates and performs the following tasks:

  • Verifies .NET version
  • Sets IIS SSL TLS configuration

To run the CPM_PreInstallation script:

  1. Copy the CPM folder from the installation package to the CPM server, and unzip the folder.

  2. In the InstallationAutomation folder, locate the CPM_PreInstallation.ps1 file.

  3. Open the PowerShell window, and run the CPM_PreInstallation.ps1 file as Administrator.


Installation CPM using scripts

 

1 Install CPM using scripts

  1. In the CPM\InstallationAutomation\Installation folder, locate and open the InstallationConfig.xml file.
  2. In the InstallationConfig.xml file, specify the following parameters:

    Parameter

    Description

    Username

    The name of the user running the installation.

    Valid values: Username

    Default value: Windows User

    Company

    The name of the company running the installation.

    Valid values: Company name

    Default value: My Company

    CPMInstallDirectory

    The path where CPM is installed.

     

    If the path is more than 260 characters, enable the LongPathsEnabled setting.

    In the Registry Key settings, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem > LongPathsEnabled, and change the value from 0 to 1. Reboot the machine to recognize the new key setting.

    Valid values: Pathname

    Default value: C:\Program Files (x86)\CyberArk\

    isUpgrade

    Whether this is a CPM upgrade or a new CPM installation.

    Valid values: True/False

    Default value: False

  3. In a PowerShell window, run the CPMInstallation.ps1 script as Administrator.



2 Registration

The registration process connects the CPM to the Vault.

  1. In the CPM\InstallationAutomation\Registration folder, locate and open the CPMRegisterComponentConfig.xml file.

  2. In the CPMRegisterComponentConfig.xml file, specify the following parameters.

    Parameter

    Description

    accepteula

    Acceptance of the end user License agreement.

    Valid values: Yes/No

    vaultIP

    The IP address or hostname of the Vault server.

    Valid values: IP address or hostname

    vaultport

    The Vault’s configured communication port.
    Recommended default Vault port: 1858

    Valid values: Port number

    vaultuser

    The name of the Vault user performing the installation.

    Valid values: Username

     

    We recommend using the Vault administrator user to install CPM as this user has the appropriate Vault authorizations, and is created in the appropriate location in the Vault hierarchy.

    For more information about the required authorizations, see Vault user authorizations.

    pocmode

    Whether or not CPM is installed in POC mode.

    Valid values: True/False

    installDirectory

    The path where CPM is installed.

    Specifiy the same value as the CPMInstallDirectory value in the InstallationConfig.xml file.

    Valid values: Pathname

    Default value: C:\Program Files (x86)\CyberArk\

    username

    Sets the CPM user name. CPM Safe names will be created according to the user name that you specify.

    If the user name is already in use, a sequence number will be added.

    Example: PasswordManager1, PasswordManager2 and so on.

    Default value: PasswordManager

    isUpgrade

    Indicates whether the registration is for a clean installation or an upgrade.

    Valid values: True\False

    Default value: False

  3. In a PowerShell window, run the CPMRegisterComponent.ps1 script as Administrator, and provide the Vault password in one of the following ways.

    Method

    Command

    As a secure string (recommended) 

    CD “<installation package Path>InstallationAutomation\Registration” .\CPMRegisterComponent.ps1 -spwdObj <vaultpassword>

    Use a Windows authentication window (recommended for manual runs)

    CD “<installation package Path>InstallationAutomation\Registration” .\CPMRegisterComponent.ps1

    As clear text (not recommended)

    CD “<installation package Path>InstallationAutomation\Registration” .\CPMRegisterComponent.ps1 -pwd <vaultpassword>



Install CPM using installation wizard

 This installation process installs the CPM and connects to the Vault (registration).

  1. On the CPM machine, create a new folder, and copy the Central Policy Manager folder from the installation package to the new folder.

  2. Start the installation procedure by doing one of the following actions:

    • Double-click Setup.exe

    • On systems that are UAC-enabled, right-click Setup.exe, and then select Run as Administrator.

      The Setup window appears.

       

      You can exit installation at any time by clicking Cancel. You can return to the previous installation window by clicking Back, when relevant.

  3. Click Next.

    A list of applications appear that must be installed on your machine prior to the CPM installation.

  4. Click Install.

  5. Read the license agreement, and then click Yes.

  6. In the Customer Information window, enter your name and Company name in the appropriate fields, and then click Next.

  7. In the Destination location window, do one of the following actions:

    • Click Next to accept the default location where the CPM will be installed (displayed in the Destination Folder area).

    • Click Browse, select another location, and then click Next.

  8. In the Setup Type window, select No Policy Manager was previously installed, and then click Next.

  9. In the Vault's Connection Details window, enter the IP address or DNS of the Vault and its port number, and then click Next.

  10. In the Vault's Username and Password Details window, enter the name and password of the Vault user who will create the CPM environment in the Vault, and then click Next.

     

    Use the Vault administrator user to add the complete installation, and create it in the appropriate location in the Vault hierarchy.

    Only the Vault administrator user has permissions to add the new platforms. If they are not added automatically during installation, you can import them manually after the installation.

    The installation process begins, and builds the CPMenvironment in the Vault and on the CPM machine.

    1. If there is an existing PasswordManager user in the Vault, the following window appears.

      Do one of the following actions:

      • Accept the default CPM user name

      • Enter a different name

    2. Click Next to continue with the installation.

    3. If the cpm.ini file already exists in the Vault, the following

      the following window appears.

      8a

      Do one of the following actions:

      • Click Yes to override the existing cpm.ini file

      • Click No to leave the existing cpm.ini file in the Vault

  11. In the Setup Complete window, click Finish to complete the installation.

  12. Restart the machine.


Note: You might face an error regarding CPMEM038E Error while installation wizard trying to import platforms. Import platforms manually  ( ignore this error )

Error message :
CPMEM038E Error while trying to import platforms. Import the platforms manually. Refer to log for more information.


Post-Installation

Refer to this doc:

1 Create a Trusted Network Area

During installation, several Vault objects are created to enable the CPM to access existing passwords, generate new ones and replace them on a remote machine. However, before the CPM can begin working, it is recommended to create a Trusted Network Area for the CPM user to log on to the Vault.

Make sure that the CPM user can only log on to the Vault from the CPM machine.

To create a trusted network area:

  1. Create a Network Area that includes only the IP address of the CPM machine, and from where the CPM user will log on to the Vault.

  2. In the User Properties window, add this network area to the user’s Trusted Network Areas.

  3. Restart the following services:

    • CyberArk Password Manager service

    • CyberArk Central Policy Manager Scanner


2 Check the installation log files and CPM log files
Capture the installation log file and save it to somewhere else. Else, the installation log file will be automatically deleted after next reboot. 

pm.log
pm_error.log


3 Check the CPM related files and services




4 Add restrictions to the protected credentials file


5 Vault Changes, such as safes, users, saved files. 


Hardening

The CPM hardening process is a series of tasks that enhance security on the Windows Server machine. Hardening is performed after CPM installation.

Hardening consists of the following tasks:

  • In-Domain Automatic Hardening via GPO
  • Out of Domain Hardening via INF import



Multiple CPMs




DR :

In order to prevent a scenario where the CPM is unavailable, you can set up a Disaster Recovery (DR) "active-passive" cluster by installing and configuring a second CPM instance.

If the primary CPM is down, you can manually switch over to the second instance, the DR CPM.

Only one active instance of the CPM can be available at any time.




Troubleshooting

1. CPM verify password failed because of CPM engine signature 

Error message: 
CACPM338E Failed to perform verifypass operation on Master
See logs for more information.).
The CPM is trying to verify this password because its status matches the following search criteria: ResetImmediately,Failure
Safe: Dev-Cyber-J-Test-1
Folder: Root
Object: Operating System-Dev-Win-Domain-Test-1-51sectest.dev-winadmin1 (Error: CACPM804E Error verifying CPM engine signature: ".\bin\passchng.exe"

Fix: 

Administration > Central Policy Manager > selected the right PasswordManager > CPM Settings > General > VerifyEnginesSignatures = No.

Restart the CPM.

That should fix it.

My CPM Version: 11.5








YouTube





No comments:

Post a Comment