PAS ADMINISTRATION

EPV Administration

CyberArk Training
1
OBJECTIVES

By the end of this lesson you will be able to:

• Describe the different Layers of Security that protect the Vault Data
• Describe EPV system architecture
• Describe EPV components server environment
• Describe EPV vault environment

2
SYSTEM ARCHITECTURE

3
VAULT AND COMPONENTS

• Components must authenticate Privileged Session

Manager
each time they connect to the Vault
• Each Component has a Password Vault
Web Access
User ID and password Central Policy
Manager

PACli and SDKs

Vault

Unix/Windows
PrivateArk Client
Application
Provider
Unix/Windows
Privilege
Provider

4
COMPONENT COMMUNICATION – CPM AND PVWA

Managed Target
Central Policy
Accounts and Servers Manager 1858

1858 Vault
HTTPS

End Users:
IT Staff, Auditor, etc. The CPM and the PVWA
Password Vault
exchange information.
Web Access However, all the communication
HTTPS is done through the Vault.
Vault Administrators

5
EPV CLIENTS Unmanaged
Target Account
and Servers

End Users:
IT Staff, Auditor, etc. Privileged Session
Manager

Password Vault
Web Access
Central Policy Managed
Manager Target Account
Custom Applications, and Servers
Reporting Tools, etc.

PACli and SDKs

Vault

Unix/Windows
PrivateArk Client
Application
Vault Provider Target Databases
Administrators Unix/Windows
Privilege
Provider

Unix/Windows Users

6
ARCHITECTURE – BASIC DEPLOYMENT, ONE SITE
CACOMP01

192.168.23.19
The Central Policy Manager
Target
Systems
communicates with the Target
Servers via their native protocols
192.168.23.20 Central Policy
Manager
1858
CAVAULT01

192.168.23.31

1858
Password Vault
Web Access Vault

HTTPS

End Users:
IT Staff, Auditor, etc.

7
ARCHITECTURE – BASIC DEPLOYMENT, MULTIPLE SITES

CAVAULT02 CAVAULT01 CACOMP01

1858 or 443
Vault
192.168.23.19 10.0.1.30

1858
Target Target
Systems Systems
192.168.23.20 Central Policy Central Policy 10.0.1.31
Manager Manager
1858

192.168.23.31 10.0.1.60
Password Vault
Web Access

Possible reasons for multiple CPMs:

• Isolated network segments
• WAN Link Latency
End Users: • Scalability
IT Staff, Auditor, etc.

8
CYBERARK’S SCALABLE ARCHITECTURE

Auditors

IT IT Environment
Vault (HA Cluster)

Main Data Center - US

Auditors/IT Auditors/IT

IT Environment IT Environment

London Hong Kong

DR Site

9
SAMPLE ARCHITECTURE DIAGRAM WITH DR
• End Users communicate to the
• PVWA – HTTPS
• PSM – RDP

• Components communicate with the

Vault over TCP port 1858 or 443
• Vault Communicates to the
• NTP – UDP 123
• SMTP – TCP 25
• DC – TCP 389 & 636
• DR Vault – 1858

• CPM and PSM communicate to

Target Devices using native
protocols

10
THE VAULT
(SECURITY)

11
THE VAULT: END TO END SECURITY

Stored
Vault User Credential

Discretionary Mandatory
Session File
Firewall Authentication Access Access Auditing
Encryption Encryption
Control Control

• Proprietary • Hardened • Single or Two • Granular • Subnet Based • Tamperproof • Hierarchical

Protocol built-in Factor Permissions Access Control Audit Trail Encryption Model
Windows Authentication
• OpenSSL Firewall (recommended) • Role Based • Time Limits and • Event Based • Every object has
Encryption Access Control Delays Alerts unique key

12
THE VAULT: AN ISLAND OF SECURITY

• Isolating the Server

• No domain membership or trusts.
• No DNS or WINS.
• Uses a manually configured Host file

• Hardening the Server

• Remove unnecessary services.
• Safe configuration for remaining services.
• Only Vault Server and PrivateArk Client are installed
• No additional applications.

13
 THE VAULT
(ENCRYPTION KEYS)

16
ENCRYPTION HIERARCHY

RecPub Key RecPrv Key

Vault Server Key

AES-256

RSA 2048

Safes Safe Key

AES-256

Passwords File Key

17
 FILE ENCRYPTION PROCESS

• Each Credential is stored as an encrypted file RecPub Key

on the Vault
Server Key
• A unique symmetric key is generated for each
file (File Key)
• The File Key is then encrypted with the Safe key
AES-256
which is a symmetric key unique to the Safe
• The Safe key is then encrypted with the RSA 2048
symmetric Server Key which is unique to the Vault
Safe Key
• Server Key
• The Server Key is loaded into memory when the
Vault starts AES-256

• RecPub Key
• A copy of the relevant Safe Key is encrypted with File Key
the RecPub Key and stored in each password object

18 18
 NORMAL FILE DECRYPTION PROCESS

• The Server key is used to decrypt the Safe Key

• The Safe Key is used to decrypt the File Key Server Key

• The File Key is used to decrypt the file

AES-256

Safe Key

AES-256

File Key

19 19
SECURE RECOVERY MECHANISM

In an emergency situation, the Secure Recovery RecPub Key RecPrv Key

Mechanism can be used to access file keys.
Server Key
• A copy of the relevant Safe Key is encrypted
with the RecPub Key and stored in each
password object
AES-256
• Rec Pub Key is an asymmetric key
RSA 2048
• The Safe Key can be decrypted with the
Rec Prv Key, then used to decrypt the Safe Key
File Key and finally the content
• The Rec Prv Key can be used in an
AES-256
emergency situation to decrypt any credential
on the Vault
• For day to day operations we only need File Key
the Server key and the Rec Pub Key

20
HOW ENCRYPTION KEYS ARE DISTRIBUTED

Every new system is shipped with two CDs:

• Operator CD
• Operator CD contains:
• Server Key
• Recovery Public Key
• Operator CD keys are required to install and start the vault server.

• Master CD
• The Master CD contains:
• Server Key
• Recovery Public Key
• Recovery Private Key
• Master CD keys are to be used for emergencies.
• (login as Master, recover the Vault, or re-key the Vault).

21
MASTER KEY STORAGE STRATEGIES

Always store the Master CD in a

secure location (physical safe).

22
OPERATOR KEY STORAGE STRATEGIES

STRONG &
STRONG CONVENIENT
CONVENIENT

• Store the Operator CD • Copy the contents of the • Copy only the Recovery
in a secure location and Operator CD to the Public Key to the server
mount the CD whenever Direct Attached Storage and store the Server
starting/restarting the of the vault server(s) Key in a Hardware
vault. and secure with NTFS Security Module.
Permissions

23
 THE VAULT
(ADMINISTRATION TOOLS)

24
VAULT SERVER CENTRAL ADMINISTRATION STATION

• Some of the operations

the Server Interface allows
are: stop/start

• Starting and stopping the

PrivateArk Server
Windows service.
• Displaying the Vault
Server log.
ITALOG.LOG
• The Server interface is
installed on the Vault host,
cannot be installed on
other machines

25
REMOTE CONTROL AGENT

• The Remote Control Agent allows you to perform several Vault admin tasks (without restarting the
Vault) and view machine statistics
• Executed from a remote machine (no need to open RDP Port)

• Communicates through the CyberArk Remote Control protocol on port 9022

Note: The Remote Control Agent is also required to send out SNMP traps

Monitoring the Vault status using the Remote Client:

26
PRIVATEARK CLIENT

• The PrivateArk Client is

the administrative
interface to the Vault data.
• The PrivateArk Client can
be installed on any station
with access to the Vault.
• When you log into the
PrivateArk Client, you will
see a list of safes

27
 THE VAULT
(CONFIGURATION FILES AND LOGS)

28
VAULT CONFIGURATION FILES

• Main Configuration file of the Vault

dbparm.ini • Any change requires a restart of the Vault service

Passparm.ini • Configure password policy for users of the Vault

• Configure Remote Control Agent in the Vault

PARagent.ini • SNMP Configuration

TSparm.ini • Configure the physical disks used to store vault data

29
DBPARM.INI

• dbparm.ini: Current Vault configuration file,

contains parameters for Log Level, Server Key,
Syslog, Timeouts, Recovery Key etc.

• dbparm.sample.ini: contains all the possible

configuration options. Full info on the parameters
is contained in the PAS Reference Guide.

• dbparm.ini.good: contains the last known good

configuration of the dbparm.ini file. created
automatically when the Vault server comes up.

30
VAULT LOG FILES

Italog.log • Main log file of the vault server.

• Trace file of the Vault.

Trace.d0 • It is detailed according to the debug level configured in the dbparm.ini.

31
 VAULT CONFIGURATION FILES AND LOGS - PRIVATEARK CLIENT

• The Vault’s main

configuration files and logs
can also be accessed in
the System safe from
remote stations using the
PrivateArk Client.
• License.xml can be pasted
into this safe to update the
license without restarting
the Vault service.

32 32
THE CPM

33
 CPM - AUTOMATIC, POLICY-BASED PASSWORD MANAGEMENT

• The Central Policy Manager can reduce the

burden on IT and eliminate configuration errors
by automatically changing passwords based
on organizational requirements.
• For many non-AD platforms, a manual process
was previously needed to change passwords.
In many instances, passwords were not
changed routinely and thus commonly fell out
of compliance.
• Managing those previously unmanaged
accounts automatically with the CPM brings
them into compliance and reduces
vulnerabilities.

34 34
CPM – CENTRAL POLICY MANAGER

The CPM performs password changes and Policy

SSH Key rotations on devices based on the
policies set by Vault Administrators

y7qeF$1
Im7yT%w
Tojsd$5fh
gviNa9%
X5$aq+p

Central Policy
Manager

System User Pass

Unix root tops3cr3t

Oracle SYS tops3cr3t

Windows Administrator tops3cr3t

z/OS DB2ADMIN tops3cr3t

IT Environment Cisco enable tops3cr3t

35
CPM PASSWORD CHANGE PROCESS
When the CPM needs to change a password the following process is executed:

Vault CPM Target

Scan Vault for Account

Account Info & Current Passwords Login using current credentials

Success or failure

Generate Connect & run change password

Password
Success or failure

Login using new credentials

Success or failure
Store new credentials

36
THE CPM SERVICES

37
CPM DIRECTORIES

38
LOG FILES

• pm.log – contains all the log messages, including general and informative
Activity Logs messages, errors, and warnings.
(Logs folder)
• pm_error.log – contains only warning and error messages.

• generated by the Central Password Manager built-in password generation

Third party plug-ins when an error occurs
• Name of the log file:
log files <type of password>-<Safe>-<folder>-<name of password object>.log
(Logs\ThirdParty folder)
Operating System-UnixSSH-1.1.1.250-Root.log:

• After a log file has been uploaded into the Safe, it is renamed and moved into
History the History subfolder.
log files • The file is marked with a time stamp and renamed as follows: <filename>
(Logs\History folder)
(<date>-<time>).log

39
THE PVWA

40
 PVWA SERVICE (IIS SERVICES)

• As the PVWA is a website

running on IIS, use the
following command from
an elevated command
prompt to restart the
website:
iisreset /restart

Or
iisreset /status
to check status of website

41 41
PVWA DIRECTORIES (IIS FOLDER)

• Web page - IIS Virtual

Folder - PasswordVault
• PVWA Application is
located
C:\Cyberark\PVWA

42
PVWA LOG LOCATION

• Default Log File Location:

%windir%\temp\PVWA\
• Can be changed using
"LogFolder" parameter in
web.config in the IIS
PasswordVault folder

43
PVWA – LOGGED IN AS A VAULT ADMIN – ACCOUNTS PRE-V10

• A new PVWA UI was

released in v10.
• The Accounts view has
been modified to
provide a better user
experience and a New
System Health window
has been added
• You can access the
new UI by clicking on
Account views V10
interface.
• Most other tabs
currently utilize the V
9.x PVWA UI

44
V10 ACCOUNTS VIEW

45
V10 PVWA UI – MOST TABS USE V9 UI

46
SYSTEM HEALTH

• A new System Health

window was added
• In V10.2, drill down
windows were added for
each component
• You can click on the ? To
access on-line help

47
ON-LINE HELP

• On-line Help is available

and includes easily
searchable information
from our documentation.

48
ON-LINE HELP CONT.

• At the bottom of the online help window, there are links to other resources.
• Explore the CyberArk web site
• Connect to the CyberArk Customer Community
• Learn about additional resources that can be found at the Resource Center
• Webinars, Case Studies, Brochures and Datasheets, videos, and more

• Provide feedback or Contact CyberArk Support

49
CYBERARK RESOURCE CENTER

• Flexible Search Criteria

• A variety of resources are available
to search.

50
INSIDE THE VAULT

51
 VAULT INITIAL SAFES – PRIVATEARK CLIENT

• The three initial safes

created during the Vault
installation are:
• Notification Engine:
used by the ENE service

• System: contains the file

links for DBParm.ini etc.

• VaultInternal: contains
configuration data for
CyberArk LDAP
integration

52 52
 VAULT BUILT-IN USERS AND GROUPS – PRIVATEARK CLIENT
TOOLS->ADMINISTRATIVE TOOLS->USERS AND GROUPS

• When the Vault is

installed, a set of
pre-defined users and
groups are created.
• They each have
different permissions
based on their specific
roles”.

53 53
 CPM SAFES – PRIVATEARK CLIENT

• There are two safes shared by all CPM

servers:
• PasswordManagerShared
• PasswordManager_Pending

• The remaining four safes will be duplicated for

each CPM in the CyberArk environment and
named after the user for that CPM, e.g.
• PasswordManager
• PasswordManager_ADInternal
• PasswordManager_info
• PasswordManager_workspace

54 54
CPM VAULT USER – PRIVATEARK CLIENT
TOOLS->ADMINISTRATIVE TOOLS->USERS AND GROUPS

• When creating a safe

using the Password Vault
Web Access, the CPM
user is added by default

55
 PVWA SAFES – PRIVATEARK CLIENT

• PVWAConfig – configuration settings for

PVWA.

• PVWAPrivateUserPrefs – user preference

settings.
• Note: The above two safes should not be
accessed directly

• PVWAReports – completed reports

• PVWATaskDefinitions – report definitions.

56 56
PVWA VAULT USERS AND GROUPS – PRIVATEARK CLIENT
TOOLS->ADMINISTRATIVE TOOLS->USERS AND GROUPS

• PVWAAppUser is used by
the Password Vault Web
Access for internal
Processing

• PVWAGWUser is the
Gateway user through
which other users will
access the Vault

57
PVWA GATEWAY USER
Rotem PVWA PVWAGWUser (Rotem)

IT

Administrator

IT Environment

58
SUMMARY

59
SUMMARY

• Hardened Vault Server is an Island of Security

• Seven Layers of Security Controls
• The CPM
• The PVWA
• Built-in Safes and Users

60
THANK YOU

61