PAS ADMINISTRATION

Core PAS Administration

CyberArk Training
1
OBJECTIVES

In this session, we will look at:

• The CyberArk PAS system architecture

• The different layers of security that protect the Vault data

• The various encryption methods used and how to protect the keys
• The tools available to administrators

• Configuration files and logs

• The CPM and the PVWA

• The contents of the Vault

2
SYSTEM ARCHITECTURE

3
THE VAULT AND ITS COMPONENTS

• Components must authenticate

Privileged Session
each time they connect to the Manager

Vault
Password Vault
Web Access
• Each Component has a Central Policy
Manager
User ID and password
PACli and SDKs

Vault

Unix/Windows
PrivateArk Client
Application
Provider
Unix/Windows
Privilege
Provider

4
COMPONENT COMMUNICATION – CPM AND PVWA

The CPM queries the Vault and

then executes those policies on the
Managed Target
Central Policy
target systems.
Accounts and Servers Manager 1858

1858 Vault

Password Vault
Using the PVWA, Administrators
Web Access update policies in the Vault.
HTTPS

Vault administrators

5
VAULT CLIENTS Unmanaged
Target Account
and Servers

End Users:
IT Staff, Auditor, etc. Privileged Session
Manager

Password Vault
Web Access
Central Policy Managed
Manager Target Account
Custom Applications, and Servers
Reporting Tools, etc.

PACli and SDKs

Vault

Unix/Windows
PrivateArk Client
Application
Vault Provider Target Databases
Administrators Unix/Windows
Privilege
Provider

Unix/Windows Users

6
ARCHITECTURE – BASIC DEPLOYMENT, ONE SITE
COMP01a
*nix 22

The Central Policy Manager

192.168.23.19
communicates with target servers
Target Windows 445 via their native protocols
Systems
192.168.23.20 Central Policy
Manager
VAULT01a
Oracle 1521

1858
192.168.23.31

Password Vault
Web Access
Vault

443

End Users:
IT Staff, Auditor, etc.

7
ARCHITECTURE – BASIC DEPLOYMENT, MULTIPLE SITES
COMP01b VAULT01a COMP01a

Vault
192.168.23.19 1858 10.0.1.30

1858
Target Target
Systems Systems
192.168.23.20 Central Policy Central Policy 10.0.1.31
Manager Manager
1858

192.168.23.31 10.0.1.60
Password Vault
Web Access

Possible reasons for multiple CPMs:

• Isolated network segments
• WAN Link Latency
• Scalability End Users:
IT Staff, Auditor, etc.

8
CYBERARK’S SCALABLE ARCHITECTURE

Auditors

IT IT Environment
Vault (HA Cluster)

Main Data Center - US

Auditors/IT Auditors/IT

IT Environment IT Environment

London Hong Kong

DR Site

9
SAMPLE ARCHITECTURE DIAGRAM WITH DR
• End users communicate to:
• PVWA – HTTPS
• PSM – RDP

• Components communicate with the

Vault over TCP port 1858 or 9022

• Vault Communicates to the

• NTP – UDP 123
• SMTP – TCP 25
• DC – TCP 389 & 636
• DR Vault – 1858

• CPM and PSM communicate to

target devices using native
protocols

10
VAULT SECURITY

11
THE VAULT: END TO END SECURITY

Stored
Vault User Credential

Discretionary Mandatory
Session File
Firewall Authentication Access Access Auditing
Encryption Encryption
Control Control

• Proprietary • Hardened • Single or Two • Granular • Subnet Based • Tamperproof • Hierarchical

Protocol built-in Factor Permissions Access Control Audit Trail Encryption Model
Windows Authentication
• OpenSSL Firewall (recommended) • Role Based • Time Limits and • Event Based • Every object has
Encryption Access Control Delays Alerts unique key

12
THE VAULT: AN ISLAND OF SECURITY

• Isolating the Server

• No domain membership or trusts.
• No DNS or WINS.
• Uses a manually configured Host file

• Hardening the Server

• Remove unnecessary services.
• Secure configuration for remaining services.
• Only Vault Server and PrivateArk Client are installed
• No additional applications.

13
VAULT ENCRYPTION KEYS

16
VAULT OBJECT ENCRYPTION

RecPub Key RecPrv Key

Vault Server Key RSA 2048

AES-256

Safes Safe Key

AES-256

Passwords File Key

17
 FILE ENCRYPTION PROCESS
RecPub Key
• Each Credential is stored as an encrypted file
on the Vault Server Key
• The File key is a unique symmetric key is generated
for each file
• The File Key is then encrypted with the Safe key, AES-256
which is a symmetric key unique to the Safe
RSA 2048
• The Safe key is then encrypted with the symmetric
Server key, which is unique to the Vault Safe Key
• Server Key
• The Server Key is loaded into memory when the AES-256
Vault starts

• RecPub Key
• A copy of the relevant Safe Key is encrypted with File Key
the RecPub Key and stored in each password object

18 18
 NORMAL FILE DECRYPTION PROCESS

• The Server key is used to decrypt the Safe Key

• The Safe key is used to decrypt the File Key Server Key

• The File key is used to decrypt the file

AES-256

Safe Key

AES-256

File Key

19 19
SECURE RECOVERY MECHANISM

In an emergency situation, the Secure Recovery RecPub Key RecPrv Key

Mechanism can be used to access file keys.
Server Key
• A copy of the relevant Safe Key is encrypted with
the RecPub Key and stored in each password
object
AES-256
• RecPub Key is an asymmetric key
RSA 2048
• The Safe Key can be decrypted with the RecPrv
Key, then used to decrypt the File Key and finally Safe Key
the content
• The RecPrv Key can be used in an emergency
AES-256
situation to decrypt any credential
on the Vault
• For day to day operations, we only need File Key
the Server key and the RecPub Key

20
HOW ENCRYPTION KEYS ARE DISTRIBUTED

Every new system is shipped with two CDs:

• Operator CD
• Operator CD contains:
• Server Key
• Recovery Public Key
• Operator CD keys are required to install and start the vault server.

• Master CD
• The Master CD contains:
• Server Key
• Recovery Public Key
• Recovery Private Key
• Master CD keys are to be used for emergencies.
• Login as Master, recover the Vault, or re-key the Vault.

21
MASTER KEY STORAGE STRATEGIES

Always store the Master CD in a secure location,

such as a physical safe.
And don’t forget to put a copy at your
Disaster Recovery site.

22
OPERATOR KEY STORAGE STRATEGIES

STRONG &
STRONG CONVENIENT
CONVENIENT

• Store the Operator CD • Copy the contents of the • Store the Server Key in
in a secure location and Operator CD to direct a Hardware Security
insert the CD whenever attached storage of the Module (HSM).
starting/restarting the Vault server(s) and
vault. secure with NTFS
Permissions

23
VAULT ADMINISTRATION TOOLS

24
VAULT SERVER CENTRAL ADMINISTRATION STATION

• Some of the operations

the Server Interface allows
are: stop/start

• Starting and stopping the

PrivateArk Server
Windows service.
• Displaying the Vault
Server log.
ITALOG.LOG
• The Server interface is
installed on the Vault host
and cannot be installed on
other machines

25
REMOTE CONTROL AGENT

• The Remote Control Agent allows you to perform several Vault admin tasks (without restarting the
Vault) and view machine statistics

• Executed from a remote machine (no need to open RDP Port)

• Communicates through the CyberArk Remote Control protocol on port 9022

Note: The Remote Control Agent is also required to send out SNMP traps

Monitoring the Vault status using the Remote Client:

26
PRIVATEARK CLIENT

• The PrivateArk Client is

the administrative
interface to the Vault data.

• The PrivateArk Client can

be installed on any station
with access to the Vault.

• When you log into the

PrivateArk Client, you will
see a list of safes
• The safes you see depend
on your authorizations:
Are you a safe owner
(member)?

27
VAULT CONFIG FILES AND LOGS

28
VAULT CONFIGURATION FILES

• Main configuration file of the Vault

dbparm.ini • Any change requires a restart of the Vault service

passparm.ini • Configure password policy for users of the Vault

• Configure Remote Control Agent in the Vault

PARagent.ini • SNMP Configuration

tsparm.ini • Configure the physical disks used to store Vault data

29
DBPARM.INI

• dbparm.ini: Current Vault configuration file,

contains parameters for Log Level, Server Key,
Syslog, Timeouts, Recovery Key, etc.

• DBPARM.sample.ini: Contains all the

possible configuration options. Full info on the
parameters is contained in the PAS Reference
Guide.

• dbparm.ini.good: Contains the last known

working configuration of the dbparm.ini file.
Created automatically when the Vault server
starts up.

30
VAULT LOG FILES

Italog.log • Main log file of the Vault server.

• Trace file of the Vault.

Trace.d0 • It is detailed according to the debug level configured in the dbparm.ini.

31
 VAULT CONFIGURATION FILES AND LOGS - PRIVATEARK CLIENT

• The Vault’s main

configuration files and logs
can also be accessed in
the System safe from
remote stations using the
PrivateArk Client.

• A new License.xml file

can be copied into this
safe to update the license
without restarting the Vault
service.

32 32
 CPM
CENTRAL POLICY MANAGER

33
CENTRAL POLICY MANAGER

Policy
The CPM performs password changes and
SSH Key rotations on devices based on the
policies set by Vault Administrators

y7qeF$1
Im7yT%w
Tojsd$5fh
gviNa9%
X5$aq+p

Central Policy
Manager

System User Pass

Unix root tops3cr3t

Oracle SYS tops3cr3t

Windows Administrator tops3cr3t

z/OS DB2ADMIN tops3cr3t

IT Environment Cisco enable tops3cr3t

34
CPM PASSWORD CHANGE PROCESS
When the CPM needs to change a password the following process is executed:

Vault CPM Target

Scan Vault for Account

Account Info & Current Passwords Login using current credentials

Success or failure

Generate Connect & run change password

Password
Success or failure

Login using new credentials

Success or failure
Store new credentials

35
CPM SERVICES

36
CPM DIRECTORIES

37
LOG FILES

• pm.log – contains all the log messages, including general and informative
Activity Logs messages, errors, and warnings.
(Logs folder)
• pm_error.log – contains only warning and error messages.

• Generated by the CPM’s password generation plug-ins when an error occurs

Third party • Name of the log file:
<type of password>-<Safe>-<folder>-<name of password object>.log
log files E.g., Operating System-UnixSSH-1.1.1.250-Root.log
(Logs\ThirdParty folder)

• After a log file has been uploaded into the Safe, it is renamed and moved into
History the History subfolder.
log files • The file is marked with a time stamp and renamed as follows:
(Logs\History folder)
<filename> (<date>-<time>).log

38
 PVWA
PASSWORD VAULT WEB ACCESS

39
 PVWA SERVICE (IIS SERVICES)

As the PVWA is a website

running on IIS, you can
control it through the IIS
Manager interface or use the
command line:

iisreset /restart

or

iisreset /status

to check status of website

40 40
PVWA DIRECTORIES (IIS FOLDER)

• PVWA application files are

located at: C:\Cyberark

• Web page: IIS Virtual

Folder - PasswordVault

41
PVWA LOG LOCATION

• Default Log File Location:

%windir%\temp\PVWA\

42
PVWA LOG LOCATION

• Can be changed by going

to the PasswordVault
folder in IIS, opening the
file web.config, and
modifying the "LogFolder"
parameter

43
PVWA – LOGGED IN AS A VAULT ADMIN – V10

• A new PVWA UI was

released in v10.

• The Accounts view has

been modified to provide a
better user experience and
a New System Health
window has been added.

• Some features still require

the version 9 interface,
which can be accessed by
a dedicated link.

44
SYSTEM HEALTH

• A new System Health

window has been added

• In V10.2, drill-down
windows were added for
each component

• You can click on the ‘?’ To

access on-line help

45
ON-LINE HELP

• On-line Help is available

and includes easily
searchable information
from our documentation.

46
ON-LINE HELP CONT.

• At the bottom of the online help window, there are links to other resources.

• Explore the CyberArk web site

• Connect to the CyberArk Customer Community

• Learn about additional resources that can be found at the Resource Center:
• Webinars, Case Studies, Brochures and Datasheets, videos, and more

• Provide feedback or Contact CyberArk Support

47
CYBERARK RESOURCE CENTER

• Flexible search criteria

• A variety of resources are available
to search.

48
INSIDE THE VAULT

49
 VAULT INITIAL SAFES – PRIVATEARK CLIENT

• The three initial safes

created during the Vault
installation are:
• Notification Engine:
used by the ENE service
• System: contains the file
links for dbparm.ini, etc.
• VaultInternal: contains
configuration data for
CyberArk LDAP
integration

50 50
 VAULT BUILT-IN USERS AND GROUPS – PRIVATEARK CLIENT

Tools->Administrative
Tools->Users and Groups

• When the Vault is installed,

a set of pre-defined users
and groups is created.

• They each have different

permissions based on their
specific roles.

51 51
 CPM SAFES – PRIVATEARK CLIENT

There are two safes shared by all

CPM servers:
• PasswordManager_Pending
• PasswordManagerShared

The remaining four safes will be duplicated for each CPM in the CyberArk
environment and named after the user for that CPM, e.g.
• PasswordManager
• PasswordManager_ADInternal
• PasswordManager_info
• PasswordManager_workspace

52 52
CPM VAULT USER – PRIVATEARK CLIENT

Tools->Administrative
Tools->Users and Groups

• When creating new Safes

using the PVWA, the CPM
user is created
automatically

• By default, the first CPM

user’s name is
PasswordManager

53
 PVWA SAFES – PRIVATEARK CLIENT

• PVWAConfig – configuration settings for

PVWA.
PVWAPrivateUserPrefs – user preference
settings.
• Note: The above two safes should not be
accessed directly

• PVWAPublicData - contains the help

documents that can be accessed in the PVWA.

• PVWAReports – completed reports

• PVWATaskDefinitions – report definitions.

54 54
PVWA VAULT USERS AND GROUPS – PRIVATEARK CLIENT

Tools->Administrative
Tools->Users and Groups

• PVWAAppUser is used by
the Password Vault Web
Access for internal
Processing

• PVWAGWUser is the
Gateway user through
which other users will
access the Vault

55
PVWA GATEWAY USER
Rotem PVWA PVWAGWUser (Rotem)

IT

Administrator

IT Environment

56
SUMMARY

57
SUMMARY

• The CyberArk PAS system architecture

• The different layers of security that protect the Vault data

• The various encryption methods used and how to protect the keys

• The tools available to administrators

• Configuration files and logs

• The CPM and the PVWA

• The contents of the Vault

58
ADDITIONAL RESOURCES

Documentation

• Hardening the CPM and PVWA Servers

• CyberArk Digital Vault Security Standards

• Security Fundamentals for PAS

59
THANK YOU

60