Professional Documents
Culture Documents
EPV Administration
CyberArk Training
1
OBJECTIVES
• Describe the different Layers of Security that protect the Vault Data
• Describe EPV system architecture
• Describe EPV components server environment
• Describe EPV vault environment
2
SYSTEM ARCHITECTURE
3
VAULT AND COMPONENTS
Vault
Unix/Windows
PrivateArk Client
Application
Provider
Unix/Windows
Privilege
Provider
4
COMPONENT COMMUNICATION – CPM AND PVWA
Managed Target
Central Policy
Accounts and Servers Manager 1858
1858 Vault
HTTPS
End Users:
IT Staff, Auditor, etc. The CPM and the PVWA
Password Vault
exchange information.
Web Access However, all the communication
HTTPS is done through the Vault.
Vault Administrators
5
EPV CLIENTS Unmanaged
Target Account
and Servers
End Users:
IT Staff, Auditor, etc. Privileged Session
Manager
Password Vault
Web Access
Central Policy Managed
Manager Target Account
Custom Applications, and Servers
Reporting Tools, etc.
Vault
Unix/Windows
PrivateArk Client
Application
Vault Provider Target Databases
Administrators Unix/Windows
Privilege
Provider
Unix/Windows Users
6
ARCHITECTURE – BASIC DEPLOYMENT, ONE SITE
CACOMP01
192.168.23.19
The Central Policy Manager
Target
Systems
communicates with the Target
Servers via their native protocols
192.168.23.20 Central Policy
Manager
1858
CAVAULT01
192.168.23.31
1858
Password Vault
Web Access Vault
HTTPS
End Users:
IT Staff, Auditor, etc.
7
ARCHITECTURE – BASIC DEPLOYMENT, MULTIPLE SITES
1858 or 443
Vault
192.168.23.19 10.0.1.30
1858
Target Target
Systems Systems
192.168.23.20 Central Policy Central Policy 10.0.1.31
Manager Manager
1858
192.168.23.31 10.0.1.60
Password Vault
Web Access
8
CYBERARK’S SCALABLE ARCHITECTURE
Auditors
IT IT Environment
Vault (HA Cluster)
Auditors/IT Auditors/IT
IT Environment IT Environment
9
SAMPLE ARCHITECTURE DIAGRAM WITH DR
• End Users communicate to the
• PVWA – HTTPS
• PSM – RDP
10
THE VAULT
(SECURITY)
11
THE VAULT: END TO END SECURITY
Stored
Vault User Credential
Discretionary Mandatory
Session File
Firewall Authentication Access Access Auditing
Encryption Encryption
Control Control
12
THE VAULT: AN ISLAND OF SECURITY
13
THE VAULT
(ENCRYPTION KEYS)
16
ENCRYPTION HIERARCHY
AES-256
RSA 2048
AES-256
17
FILE ENCRYPTION PROCESS
• RecPub Key
• A copy of the relevant Safe Key is encrypted with File Key
the RecPub Key and stored in each password object
18 18
NORMAL FILE DECRYPTION PROCESS
Safe Key
AES-256
File Key
19 19
SECURE RECOVERY MECHANISM
20
HOW ENCRYPTION KEYS ARE DISTRIBUTED
• Master CD
• The Master CD contains:
• Server Key
• Recovery Public Key
• Recovery Private Key
• Master CD keys are to be used for emergencies.
• (login as Master, recover the Vault, or re-key the Vault).
21
MASTER KEY STORAGE STRATEGIES
22
OPERATOR KEY STORAGE STRATEGIES
STRONG &
STRONG CONVENIENT
CONVENIENT
• Store the Operator CD • Copy the contents of the • Copy only the Recovery
in a secure location and Operator CD to the Public Key to the server
mount the CD whenever Direct Attached Storage and store the Server
starting/restarting the of the vault server(s) Key in a Hardware
vault. and secure with NTFS Security Module.
Permissions
23
THE VAULT
(ADMINISTRATION TOOLS)
24
VAULT SERVER CENTRAL ADMINISTRATION STATION
25
REMOTE CONTROL AGENT
• The Remote Control Agent allows you to perform several Vault admin tasks (without restarting the
Vault) and view machine statistics
• Executed from a remote machine (no need to open RDP Port)
Note: The Remote Control Agent is also required to send out SNMP traps
26
PRIVATEARK CLIENT
27
THE VAULT
(CONFIGURATION FILES AND LOGS)
28
VAULT CONFIGURATION FILES
29
DBPARM.INI
30
VAULT LOG FILES
31
VAULT CONFIGURATION FILES AND LOGS - PRIVATEARK CLIENT
32 32
THE CPM
33
CPM - AUTOMATIC, POLICY-BASED PASSWORD MANAGEMENT
34 34
CPM – CENTRAL POLICY MANAGER
y7qeF$1
Im7yT%w
Tojsd$5fh
gviNa9%
X5$aq+p
Central Policy
Manager
35
CPM PASSWORD CHANGE PROCESS
When the CPM needs to change a password the following process is executed:
Success or failure
Success or failure
Store new credentials
36
THE CPM SERVICES
37
CPM DIRECTORIES
38
LOG FILES
• pm.log – contains all the log messages, including general and informative
Activity Logs messages, errors, and warnings.
(Logs folder)
• pm_error.log – contains only warning and error messages.
• After a log file has been uploaded into the Safe, it is renamed and moved into
History the History subfolder.
log files • The file is marked with a time stamp and renamed as follows: <filename>
(Logs\History folder)
(<date>-<time>).log
39
THE PVWA
40
PVWA SERVICE (IIS SERVICES)
Or
iisreset /status
to check status of website
41 41
PVWA DIRECTORIES (IIS FOLDER)
42
PVWA LOG LOCATION
43
PVWA – LOGGED IN AS A VAULT ADMIN – ACCOUNTS PRE-V10
44
V10 ACCOUNTS VIEW
45
V10 PVWA UI – MOST TABS USE V9 UI
46
SYSTEM HEALTH
47
ON-LINE HELP
48
ON-LINE HELP CONT.
• At the bottom of the online help window, there are links to other resources.
• Explore the CyberArk web site
• Connect to the CyberArk Customer Community
• Learn about additional resources that can be found at the Resource Center
• Webinars, Case Studies, Brochures and Datasheets, videos, and more
49
CYBERARK RESOURCE CENTER
50
INSIDE THE VAULT
51
VAULT INITIAL SAFES – PRIVATEARK CLIENT
• VaultInternal: contains
configuration data for
CyberArk LDAP
integration
52 52
VAULT BUILT-IN USERS AND GROUPS – PRIVATEARK CLIENT
TOOLS->ADMINISTRATIVE TOOLS->USERS AND GROUPS
53 53
CPM SAFES – PRIVATEARK CLIENT
54 54
CPM VAULT USER – PRIVATEARK CLIENT
TOOLS->ADMINISTRATIVE TOOLS->USERS AND GROUPS
55
PVWA SAFES – PRIVATEARK CLIENT
56 56
PVWA VAULT USERS AND GROUPS – PRIVATEARK CLIENT
TOOLS->ADMINISTRATIVE TOOLS->USERS AND GROUPS
• PVWAAppUser is used by
the Password Vault Web
Access for internal
Processing
• PVWAGWUser is the
Gateway user through
which other users will
access the Vault
57
PVWA GATEWAY USER
Rotem PVWA PVWAGWUser (Rotem)
IT
Administrator
IT Environment
58
SUMMARY
59
SUMMARY
60
THANK YOU
61