Understanding CyberArk CPM - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, December 7, 2023

Understanding CyberArk CPM

The CPM is installed on a Windows system as an automatic system service called CyberArk Password Manager.



 It can be stopped and started through the standard Windows service management tools.

Diagram









Configure the Central Policy Manager


In addition to platforms, the CPM has its own configuration settings. This includes general parameters for the CPM, and extra parameters related to log files and email notifications. The configuration file containing the setting (cpm.ini) is created automatically during setup and stored in the Root folder of the <username> Safe, by default called the ‘PasswordManager’ Safe. Users can configure it through the ADMINISTRATION page.

To configure the CPM through the PVWA:

  1. Log on to the PVWA with an Administrator user.

  2. Click Administration Configuration Options, and at the bottom, click CPM Settings.

  3. In the left pane, click General, and enter the following information: 

    Interval parameters

    Name

    Description

    Interval

    Specify the number of minutes after which the CPM re-reads the list of platforms, in order to handle new platforms or remove deleted ones.

    Email parameters

    Specify the following email parameters so that the CPM can send error notifications to defined recipients. For more information, refer to Administration.

    Name

    Description

    NotifyPeriod

    The minimal interval in hours between email notifications.

    NotifyOnlyOnError

    Whether or not to send only error notifications.

    AdminEmailAddress

    The email address where email notifications will be sent.

    SmtpServer

    The IP address of the SMTP server.

    SenderAddress

    The email address where the email is sent from.

    Subject

    The subject title of the email.

    Log parameters

    Specify the following log parameters so that the CPM can save log files and upload them into the Vault. For more information, refer to Administration.

    Name

    Description

    LogCheckPeriod

    The interval in hours after which the log files will be uploaded to the Vault. After the log files are uploaded to the Vault, they are deleted from the CPM machine. This is relevant to the pm and pm_error log files. ThirdParty logs are not uploaded to the Vault and are copied to the Logs\Old\ThirdParty folder based on this interval.

    LogSafeFolderName

    The full name of the folder in the Safe where the log files will be saved.

    LogSafeName

    The name of the Safe where the log files will be saved.

    Events parameters

    Specify the following Events parameters so that the Password Vault Web Access will be able to display information about the CPM.

    Name

    Description

    WriteStartCycleEvent

    Whether or not the CPM will write an ‘I’m alive’ event each time it reads platforms from the CPM Safe. These events are written to the PasswordManager_Info Safe.

    LogPasswordEvents

    Whether or not the CPM will write a corresponding event each time it changes, verifies, or reconciles a password.

    CopyPoliciesToCPMInfoSafe

    Whether or not the CPM will copy platform files from the CPM Safe to the CPM information Safe each time it reads these files, so that they can be viewed by users in the PVWA.

    DisableExceptionHandling

    How the CPM will function when the system stops suddenly.

    • Yes - The CPM will pass control of exception handling to the operating system, resulting in crash dumps. This is the default value.

    • No - The CPM will log a system crash, but will not pass control to the operating system.

    Auto-detection parameters

    Specify the following auto-detection parameters to determine how the CPM will manage auto-detection processes.

    Name

    Description

    ADPoolSize

    The size of concurrent automatic detection processes being executed. Restart the CPM to apply this parameter.

    AllowManualRequests

    Whether or not CPM will search for auto-detection processes initiated manually by users.

    ManualRequestsInterval

    The time interval in minutes between searches for auto-detection processes initiated manually by users.

    ManualRequestsRecoveryStartTime

    The number of retroactive hours to search for auto-detection processes initiated manually by users.

    Security parameters

    Name

    Description

    VerifyEnginesSignatures

    Indicates whether CPM validates the integrity of the engines running the plugins using certificates.

  4. Click Apply to apply the new configurations.






Scenarios for Check-in / Check-out / OTP


https://cyberark.my.site.com/s/article/Understanding-the-possible-One-Time-Password-Exclusive-and-Allow-Manual-Change-combinations

 
One-time password, exclusive & allow manual change:
- Account is locked when retrieved.
- If user releases manually, the account is set for ResetImmediately=ChangeTask and the CPM will change the password based on the immediate interval.
- If the user doesn't release manually, CPM will release the account and change the password once the MinValidityPeriod has passed.
 
Exclusive & allow manual change (without one-time password):
- Account is locked when retrieved.
- If user released manually, we set the account for ResetImmediately=ChangeTask and the CPM will change the password based on the immediate interval.
- If the user doesn't release manually the account will stay locked.
 
Exclusive & one-time password (without allow manual change):
- Account is locked when retrieved.
- If user released manually, the password won't change.
- If the user didn't release manually the account will be released in the One-time Password cycle.
 
Exclusive (without one-time password & allow manual change):
- Account is locked when retrieved.
CPM will never change the password (if you think you are in this mode, but your password changes, you should uncheck AllowManualChange)

One-time password & allow manual change (without exclusive):
- Account is NOT locked when retrieved 
The password WILL change by minValidityTime because we count the time from the last time it was used (not locked) lock. If the policy is set to periodic change, the password will also change in the periodic cycle.
- If the policy is set to periodic change, the password will change in the periodic cycle.
 
One-time password (without exclusive & allow manual change):
- Account is NOT locked when retrieved.
- The password will NOT change by MinValidityPeriod because the one-time change requires AllowManualChange to be set to "yes". The account will be found, but ignored (see logs).
- If the policy is set to periodic change, the password will change in the periodic cycle.
 
Without exclusive, one-time password & allow manual change:
- Account is NOT locked when retrieved.
- The password will NOT change by MinValidityPeriod because both one-time passwords and AllowManualChange are off.
- If the policy is set to periodic change, the password will change in the periodic cycle.
 
Notes:
  • Any changes to the master policy settings require the refresh interval of the CPM to pass or a restart of the Cyber Ark Password Manager Service
  • Also, check that the PasswordManagerUser has "unlock user" permissions.
  • The platform Interval setting also has an impact on when CPM will perform password changes. For details, see CPM - Password change time and reset immediately time frame, change now









Change password automatically by CPM

The CPM can change passwords for managed accounts. When you create an account, you can define whether the account's password will be automatically managed by the CPM, using the Allow automatic password management property.

The CPM generates unique and highly secure passwords using the password policy and the random password generation mechanism. So, generally, passwords that are managed by the CPM do not require manual intervention.

Passwords are changed by the CPM in the following scenarios:

Scenario

Description

Password expired

The expiration period is configured in the Master Policy using the Require password change every X days rule.

For details, see Require password change every X days.

Request timeframe

A user requests to connect to an account or display a password (dual-control) for a certain timeframe, and that request is approved.

Once the timeframe expires, the password is changed (if the user already released the account, it is changed upon release).

Manual initiation

If the account is managed by the CPM, when the user clicks Change, an immediate change CPM operation is initiated.

One-time and exclusive passwords

Passwords that are defined as one-time passwords or that are configured for Exclusive Account mode are changed after every use. These are configured in the Master Policy with the Enforce one-time password access and the Enforce check-in/check-out exclusive access rules. These passwords are changed after accounts are checked-in manually or automatically after a minimum validity period defined in the Master Policy or based on the request timeframe.

Account groups

When the password of an account that is a member of a group is changed, the password values for the entire group are also changed.





Change passwords

The password change processes determine how frequently passwords are changed and how the changes are initiated. These processes are configured in the Password Change parameters..

Verify passwords

The password verification processes determine how frequently passwords are verified and how the verification is initiated. These processes are configured in the Password Verification parameters..

Reconcile passwords

The CPM reconciles passwords according to the following Password Reconciliation parameters:

The password reconciliation processes determine how frequently passwords are reconciled and how the reconciliation is initiated. These processes are configured in the Password Reconciliation parameters..


Change password manually by user

 

You have the following options for changing the password:

Action

Description

Trigger the CPM to change the password

The account is managed by the CPMCPM changes the password in both the target machine and in the Vault .

You must have the following Safe member authorizations to initiate a password change:

  • Initiate CPM password management operations

Change the password manually only in the Vault .

You must have the following Safe member authorizations in the safe where the account is stored:

  • Update password value



Troubleshooting




"CACPM250E Operation on remote machine on password object safe: <Safe>, Folder: <Folder>,Object: <Object> failed (try #x) with the following error: Error in changepass to user <User> on domain <Domain> (\\Domain). (winRC=2245) The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements."

Note: https://cyberark.my.site.com/s/article/00001601

Cause
The underlying cause of the issue. Cause is an optional field as it is not appropriate or necessary for some types of articles.
Resolution
The answer or the steps taken to resolve the issue.






References










No comments:

Post a Comment