CPC Install Exercise Guide Ispss 20230227

CyberArk Privilege Cloud
Install & Configure

for ISPSS
page 1
2/27/2023
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
Contents
CONTENTS.................................................................................................................................................... 2
INTRODUCTION............................................................................................................................................ 4
USING SKYTAP................................................................................................................................................................................................4
INTERNATIONAL USERS..................................................................................................................................................................................6
INTRODUCTION TO PRIVILEGE CLOUD......................................................................................................... 10
GETTING TO KNOW THE ENVIRONMENT...................................................................................................................................................10
PREPARATION................................................................................................................................... 12
COPY THE TENANT INFORMATION TO THE SKYTAP VIRTUAL MACHINE....................................................................................................12

SET THE PASSWORD FOR CYBERARK CLOUD ADMIN USER.......................................................................................................................13
SET THE PASSWORD FOR THE IDENTITY INSTALLER USER..........................................................................................................................16
RUN THE PREREQUISITES SCRIPT.................................................................................................................................................................19
DEPLOY COMPONENTS USING CONNECTOR MANAGEMENT........................................................................26
DEPLOY THE MANAGEMENT AGENT..........................................................................................................................................................26

DEPLOY THE PRIVILEGE CLOUD COMPONENTS – CPM AND PSM..................................................................................29
Selecting which Components to install.......................................................................................................29
Confirm the CPM and PSM were successfully installed...............................................................................33
APPLY THE HARDENING GPO....................................................................................................................... 35
IMPORT THE CPM AND PSM HARDENING GPO........................................................................................................35

LINK THE HARDENING GPO TO THE SERVERS...........................................................................................................................................40
UPDATE THE GPO SETTINGS ON THE CONNECTOR SERVER....................................................................................................................42
DEPLOY THE IDENTITY CONNECTOR............................................................................................................. 44
DOWNLOAD AND EXTRACTION..................................................................................................................................................................44

INSTALLATION..............................................................................................................................................................................................45
CONFIGURATION.........................................................................................................................................................................................48
CONFIGURE IDENTITY MFA.......................................................................................................................... 55
DEPLOY THE UNIX CONNECTOR (PSM FOR SSH)...........................................................................................60
COPY THE PSM FOR SSH INSTALLATION PACKAGE TO THE SERVER.......................................................................................................60

INSTALL PSM FOR SSH........................................................................................................................................ 63
VERIFY ALL COMPONENTS ARE CONNECTED TO THE VAULT.........................................................................67
ASSIGN AN ADMINISTRATOR ROLE.............................................................................................................................................................67

LOGIN TO THE PRIVILEGE CLOUD WEB PORTAL.......................................................................................................................................68
TEST CREDENTIAL AND SESSION MANAGEMENT..........................................................................................70
TEST CREDENTIAL MANAGEMENT (CPM).................................................................................................................70

TEST SESSION MANAGEMENT (PSM AND PSM FOR SSH)...........................................................................................72
Test PSM.................................................................................................................................................... 72
page 2
2/27/2023
Test PSM for SSH........................................................................................................................................73
THE END...................................................................................................................................................... 75
page 3
2/27/2023
CyberArk Privilege Cloud Install and Configure
Introduction
Using Skytap
Before beginning the exercises, here are a few tips to help you navigate the labs more
effectively. You can refer to the section for International Users for instructions on changing
the keyboard.
1. The virtual machines need to be running for you to be able to do the exercises. You can start
all the virtual machines with one click by pressing the start button (highlighted in red in the
image below).
Note: The number and names of virtual machines vary by course. The image above is
given as an example and might not match exactly what you see.
Occasionally, for reasons outside our control, one or more machine may fail to start up when
requested. If you notice that a particular machine is not responding to a ping or if you cannot log
in using Active Directory, you should check your virtual machines to make sure they are all
running properly.
2. Click on the large monitor icon to connect to a virtual machine with the HTML 5 client.
page 4
2/27/2023
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
3. Use the Ctrl-Alt-Del button on the tool bar to send a Ctrl-Alt-Del to the machine.
4. The clipboard icon will allow you to copy and paste text between your computer and your
lab machine. Do NOT copy and paste from this PDF into the Privilege Cloud tool. It will
not work.
5. The full screen icon will resize your virtual screen to adapt to your computer’s screen
settings to avoid scrolling.
page 5
2/27/2023
6. You may need to adjust your bandwidth setting on slower connections.
International Users
By default, the lab machines are configured to use a US English keyboard layout. If you use a
machine from a country other than the US, you may experience odd behavior from your lab
machines. The solution is to install the keyboard layout for your keyboard on our lab machines.
Follow the process below to find and configure the correct keyboard layout for your keyboard.
1. From the Start Menu launch “Add a language.”
page 6
2/27/2023
2. Click “Add a language.”
3. Select your language. Click Open.
page 7
2/27/2023
4. Select your specific locality or dialect. Click Add.
5. With the option English (United States) selected, click the Move down button. This will
make your language the default. Don’t remove US English altogether as your instructor
may need it if he/she connects to your machine.
Note: If you use an alternate keyboard layout (e.g. AZERTY, Dvorak) you can click options
next to your language to install that. Otherwise, close the Language window.
page 8
2/27/2023
6. In the system tray, click ENG, then choose your keyboard layout. You may switch back
and forth between keyboard layouts. Your instructor may need to switch back to ENG to
help you with exercises.
page 9
2/27/2023
Introduction to Privilege Cloud

Welcome to CyberArk Privilege Cloud Install and Configure training. The purpose of this
training is to enable you to securely deploy the CyberArk Privilege Cloud solution.
Getting to Know the Environment
Our environment consists of a total of 5 virtual servers. Some host CyberArk components; some
are IT infrastructure, such as the Domain Controller; and finally others have nothing to do with
either CyberArk or IT and are what we call the target servers, such as servers hosting human
resources or finance applications, for example.
The goal is to provide trainees with an environment that resembles as closely as possible an actual
production environment. As such, there is a domain with Active Directory, a certification
authority, and so on. Our goal is to integrate CyberArk Privilege Cloud in this corporate
environment and to bring the principal privileged accounts under CyberArk control.
The table below lists the various servers, their roles, and configuration. The lines shaded blue
represents servers hosting CyberArk services.
Host name IP Address Operating system Role
dc01 10.0.0.1 Windows 2019 Domain controller

Server Active Directory
connector1 10.0.20.1 Windows 2019 CyberArk Connector server

Server hosting:
CPM
PSM
Secure Tunnel
Identity Connector
unixconnector 10.0.0.4 CentOS Linux 7 CyberArk Unix Connector

server hosting:
PSM for SSH (also known as
PSMP)
target-win 10.0.21.1 Windows 2019 Target Windows server

Server
target-lin 10.0.0.20 CentOS Linux 7 Target Linux server
page 10
2/27/2023
Host name IP Address Operating system Role
Firewall NA FreeBSD Restricting traffic to the

environment to only CyberArk
communications
We will do most of our work on the machine Connector1, also known as the 02 -
connector1 server. For convenience, it will also serve as the workstation for the Vault
administrator.
All servers are configured to start automatically when the general power-on button is clicked in
Skytap. Obviously, for CPC to work properly, the servers need to be running. So, if you run into
problems the first thing to do is to check that all the machines are up and running.
page 11
2/27/2023
Preparation
In this first section, we will prepare our environments for the installation and configuration of the
CyberArk Connector software, which allows the current machine to communicate with the
CyberArk Privilege Cloud. We will:
 Copy the tenant information to the Skytap virtual machine
 Set
Setthe
thepassword
passwordfor CyberArk
forthe Cloud
Connector admin
installer user
user
 Run the prerequisites script
Copy the tenant information to the Skytap virtual machine
As a first step, we will copy the information we received from the CyberArk Identity
Security Platform to the Skytap environment as we will need this information during the
course of the installation.
1. Launch the Skytap environment and start up ALL the machines. You can do this by clicking
on the master start button.
2. Once all the machines have started (this will take a few minutes), click on the VM 02 -
connector1 and log in to Windows as Mike / Cyberark1.
3. In the VM, open up Notepad or Notepad++, then go to the email you received from
CyberArk (outside of Skytap), copy the tenant information, and then paste it into the Skytap
clipboard as shown below. This will allow us to copy and paste the information required for
the installation and configuration of the CyberArk Connector into the virtual machine.
page 12
2/27/2023
4. Then, inside the virtual machine (02 - connector1), paste the information into
Notepad and then save it to your desktop with a meaningful name (e.g.,
“tenant_info.txt”)
Note: The copy and paste feature can be tricky, but with a little persistence, it will work.
Set the password for CyberArk Cloud admin user
Next, you will need to log in to the CyberArk Identity Security Platform and set the password for
the administrator account. This is the account that is the administrator of the CyberArk Privilege
Cloud tenant.
You should still be logged in to VM 02 - connector1 as Mike / Cyberark1.
page 13
2/27/2023
1. Open Chrome (you have a shortcut in the taskbar), then copy and paste the URL you received
in the mail from your Notepad file. It should look something like: https://acme-emea-
09.cyberark.cloud. The region – EMEA, USCT, or APJ – will depend on where you are
taking the course. The number is assigned arbitrarily.
2. Enter your CyberArk Identity Security Platform username and click Next. This
information is in the email you received and it should be in your tenant_info.txt file.
3. You will next be prompted for a password, which we don’t have, so click on Forgot your
password? to initiate a password reset.
page 14
2/27/2023
4. Select the option to authenticate by email and click Send me an email.
5. You will receive an email with an eight-digit code, which you can then enter into the field
and then click Authenticate.
Note: Rather than entering the code, you can choose to click on the link Continue with
Authentication, which will also allow you to authenticate.
Note: Make sure that your password meets the requirements, which are displayed below
the Next button. Characters NOT to be used when changing password: \&"|<>$ and space.
page 15
2/27/2023
Set the password for the Identity installer user
In this section, we will set a new password for the built-in Identity user account –
installeruser – that we will use during the different installation processes we will be running
in this course.
Once again, it is recommended

IMPORTANT! For security that you keep
reasons, the ainstalleruser
copy of this password
passwordinisyour
configured to
tenant_info.txt fileexpire after 24 hours unless it is reset.
for convenience.
1. You should be logged into Windows on VM 02 - connector1 as Mike / Cyberark1.
2. Open Chrome (you have a shortcut in the taskbar).
3. Navigate to the CyberArk Identity Security Platform URL that was provided to you in
the email containing the privileged cloud tenant details and log in using the username and
password we set previously and then click on Go to Identity Administration.
page 16
2/27/2023
The first time you connect, you will be presented with an introduction screen. Take the time to
review the material, clicking Next to move through the sections. When you are finished, you
can close the window.
4. In Identity Administration, in the left pane, under Core Services, click Users.
Then on the left, click the All Users or All Service Users set, and then click the
installeruser in the list to view the user details.
5. Note the full name of the Installer user. Copy this username to your tenant_info.txt file as
you will need it at a later stage. Click on Back to Users at the top of the window.
page 17
2/27/2023
6. Check the box for the installeruser and at the top of the window, click Actions > Set
Password.
7. In the Set User Password dialog box, enter a new password and click Save. Your
password should include alphanumeric characters only and should not include special
characters. Once again, type this password into your Tenant_info.txt file, save it, and then
copy and paste it into this window.
Note: Do NOT use the following characters when changing the password: \/<>{}''&"$*@`|
and space) (Password example: C-Uuni1234)
page 18
2/27/2023
Run the prerequisites script
The final step in our preparations will be to run a script that will check that all the necessary
prerequisites are in place for installing the Privilege Cloud Connector and, if they are not,
help us to resolve any issues.
1. If you are not already, login to VM 02 - connector1 server as Mike (password is

Cyberark1).
2. Navigate to C:\CyberArkFiles\Tools\ConnectorCheckPrerequisites_PrivilegeCloud.
3. Run PowerShell as an administrator, which you can do from the Windows file explorer by
going to File -> Open Windows Powershell -> Open Windows Powershell as
administrator. This has the advantage of opening the terminal in the current directory, which
is where the script we want to run is sitting.
page 19
2/27/2023
Note: The prerequisites script was downloaded to your environment ahead of time for convenience. In production
please run the script again after the update is completed successfully.
Note: Visit the to learn more about the tests performed by the
prerequisites script.
4. Now run script with this command:
.\ConnectorCheckPrerequisites_PrivilegeCloud.ps1
page 20
2/27/2023
The script will perform any necessary updates and then ask you to relaunch the script.
Use the Up arrow on your keyboard to relaunch the script.
5. You will then be prompted for information about your CPC tenant, which you can find in
your tenant info file. You will be prompted for:
 Portal URL (https://acme-{you}.cyberark.cloud)

 Customer ID (Tenant ID)
* Remember: This URL will depend on your environment.
page 21
2/27/2023
6. After performing a number of checks, you will be prompted to deploy RDS. Click
Yes.
7. You will be prompted to restart the server. Make sure you save any changes to your
tenant info file before restarting.
8. Once Windows has restarted, log back in as Mike with the password Cyberark1. The script
will resume automatically.
page 22
2/27/2023
9. You will be asked to run the CPM Install Connection test. Select Yes.
10. You will be prompted to enter your InstallerUser credentials.
page 23
2/27/2023
11. At the end of the test, you will be prompted to continue.
12. If you scroll back up to the prerequisites checks, you will see that the process encountered
an error relating to the Secondary Logon service. This is used by the Shadow users to
invoke Apps with Apps.
13. We need to resolve this issue, which we can do by by re-running the prerequisites script
with the Troubleshooting flag.
14. Navigate to the folder

C:\CyberArkFiles\Tools\ConnectorCheckPrerequisites_PrivilegeCloud.
page 24
2/27/2023
15. Run PowerShell as an administrator, which you can do from the Windows file
explorer by going to File -> Open Windows Powershell -> Open Windows
Powershell as administrator
16. Now run script with this command:
17. Enable the Secondary Logon service by entering 2.

.\ConnectorCheckPrerequisites_PrivilegeCloud.ps1 -Troubleshooting
18. The Secondary Logon service is now enabled.
19. When this step is finished, enter q to return to the previous menu (you may have to enter q
twice to quit).
20. And that completes our prerequisites checks. Log files can be found in the folder where
the script resides:
page 25
2/27/2023
Deploy Components Using Connector Management

In this section we will deploy CyberArk Privilege Cloud components to our Windows server
(connector1) using the Connector Management interface. We will:
 Deploy the Management Agent
 Deploy the CPM and

Deploy the Management Agent
In this section, we will deploy the Connector Management Agent. This will do two things:
 It will install the Management Agent on the target server, which in our case is
connector1.
 It will also register the connector1 server in the Connector Management interface so that
we will be able to deploy the CyberArk Privilege Cloud components to that server.
1. Navigate to the Privilege Cloud Web Portal URL that was provided to you in the
email containing the privileged cloud tenant details and login using your Privilege Cloud
username.
2. Click on the icon with the circle and nine dots. Click on Connector Management
3. No connectors are currently installed. Click on Add a Connector.
page 26
2/27/2023
4. This will generate a unique PowerShell script with a time-limited security token (valid for 15
minutes). We need to copy this script into PowerShell, so click on Copy to clipboard.
5. Open PowerShell as Administrator on the machine on which you intend to install the
connector (in this case 02 - connector1) and paste the script. Then press ENTER.
page 27
2/27/2023
6. The script will fetch the resources, install the Connector Management Agent on the server,
and register it (as Connector1) in the CyberArk Privilege Cloud Connector
Management interface.
7. After a minute or so, the Connector Management interface will display the new
Connector.
page 28
2/27/2023
8. Click on Connector1 to view what components have been deployed. For the
moment, only the Management Agent is installed.
Deploy the Privilege Cloud Components – CPM and PSM
Now that our Connector Manager can communicate with the Privilege Cloud Vault, we will
deploy the Privilege Cloud Component services to the 02 - connector1 server. This will
deploy and configure the CPM and the PSM on the current machine.
The process is performed using the Connector Manager command-line wizard.
Selecting which Components to install
email containing the privileged cloud tenant details.
2. Login using your Privilege Cloud credentials.
3. Click on the Identity Administration services icon (the circle with nine dots as
shown below) and click on Connector Management
page 29
2/27/2023
4. Select Connector 1.
5. Click on Add New Component.
6. We can now select which Components we want to install. In this case we will install both
the CPM and the PSM. Click Next.
page 30
2/27/2023
7. We will do a production Production deployment. The POC install implements less

hardening. This is fine for POCs but not for production environments. Enter your
InstallerUser username and password and then scroll down.
page 31
2/27/2023
8. Locate the PSM section. Here we will enter the credentials of a user who has the
authorization to install and configure elements on the connector1 server. We will use the
domain user Mike. Enter acme.corp for the Domain. Enter Mike for the user name and
Cyberark1 for the password. When you are ready, click Next.
9. Since you already have run the prerequisites script, you can click on Install.
page 32
2/27/2023
10. The components will now we installed. The installation progress will be displayed. This
will take a few minutes.
11. The installation is complete when all four Components display a green checkmark.
12. Restart the server.
Confirm the CPM and PSM were successfully installed
In this section we will make sure the installation of the CPM and PSM completed
successfully.
1. After the 02 - connector1 server restarts, login as Mike / Cyberark1.
2. Open the Services applet (you have a shortcut in the taskbar).
3. Verify the following four services are installed and are running:
 CyberArk Central Policy Manager Scanner

 CyberArk Management Agent
 CyberArk Password Manager
 Cyber-Ark Privileged Session Manager
page 33
2/27/2023
4. Close the Services applet.
Note: We will test credential and session management tasks in a later stage.
page 34
2/27/2023
Apply the Hardening GPO

When the Connector is deployed on an in-domain server, the automatic hardening procedure
is based on a predefined GPO (Group Policy Object). In this section we will apply the
hardening GPO.
Import the CPM and PSM Hardening GPO
1. Switch to VM 01 - dc01 and login as Administrator / Cyberark1.
2. Open the Group Policy Management console (you have a shortcut in the taskbar).
3. Right click on Group Policy Objects and select New.
page 35
2/27/2023
4. Name the new GPO as CPC Components and click on OK.
5. Right-click on the new GPO and select Import settings.
page 36
2/27/2023
6. Click on Next twice, until you are prompted to select the folder containing the GPO
backup to import the settings from. Then browse to:
C:\CyberArkFiles\Privilege Cloud Connector Unified Hardening

GPO-OK.
Click
7. Then click on Next.
page 37
2/27/2023
8. Click on Next again to import the settings.
9. Click Next again.
page 38
2/27/2023
10. Click on Finish.
11. Confirm the settings were imported successfully and click on OK.
page 39
2/27/2023
Link the Hardening GPO to the Servers
Now we need to link the GOP to the Connector server and enforce it.
1. Expand Servers > expand CyberArk, right-click on Connectors and select Link an
Existing GPO…
2. Select CPC Components and click on OK.
page 40
2/27/2023
3. Right click on the CPC Components GPO and select Enforced.
4. Click on OK to confirm the change.
page 41
2/27/2023
5. Confirm that the GPO is linked and enforced.
Update the GPO settings on the Connector Server
1. Switch back to the VM 02 - connector1 and login as Mike / Cyberark1.
2. Open the command line (or PowerShell) as Administrator (you have a shortcut in the
taskbar).
3. Run the following command to update the GPO settings for the server.
4.gpupdate
Confirm the policy was updated successfully.
/force
page 42
2/27/2023
5. Close the command prompt.
6. Although not mandatory, we recommend your restart the server.
page 43
2/27/2023
Deploy the Identity Connector

The CyberArk Privilege Cloud Identity Connector enables the current server – Connector1 –
to communicate with Privilege Cloud Vault. Its deployment is divided into three phases:
 Download and extraction
 Configuration
Installati
Download and Extraction
email containing the privileged cloud tenant details.
2. Login using your Privilege Cloud username.
3. Go to Identity Administration.
4. Click on Settings > Network in the menu bar on the left and click on Add CyberArk
Identity Connector.
page 44
2/27/2023
5. Select Download. Once the file is downloaded, you can close this dialog.
6. For the sake of consistency, move the Zip file to c:\CyberArkFiles\InstallationFiles

and then extract the files to that location.
Installation
Now we will begin the actual installation of the Identity Connector.
page 45
2/27/2023
1. In the extracted directory, right-click on the executable and select Run as

administrator.
2. Then click Yes at the UAC dialog to accept to run the software.
3. Click Next to launch the installation wizard.
page 46
2/27/2023
4. Tick the box to accept the terms of the license agreement and then click Next.
5. Click Next to install all tools.
page 47
2/27/2023
6. Click Install.
7. At the end of the installation, click Finish. This will end the installation phase of
CyberArk Identity Connector deployment and will immediately launch the
Connector Configuration Wizard, which we will see in the next section.
Configuration
After installation, the Connector Configuration Wizard should launch automatically. If it does
not, you can find it in the Start Menu.
page 48
2/27/2023
1. On the welcome dialog, click Next.
2. Enter the full InstallerUser username and its password and click Next.
Note: It does ask for the “admin user”, but what it needs here is the installer user.
3. We will not be using a web proxy, so just click Next.
page 49
2/27/2023
4. Uncheck the box for Activate Idaptive Pages and click Next.
5. In this step, we will allow the Identity Connector access to the Deleted Objects
container. Select the domain acme.corp and click Edit.
page 50
2/27/2023
6. Because we are logged in as Mike, who is a domain admin, we can use the current
credentials. Click OK.
7. Click Yes to change the container ownership and then click Next.
page 51
2/27/2023
8. The Connector Configuration Wizard will then execute a number of checks, which
should all succeed. When finished, click Next.
9. The Connector service will then start up and you will see Connector setup is
complete. Click Finish to exit the wizard.
page 52
2/27/2023
10. As a final step, we will verify that the changes we have made locally in our Skytap
environment have been reflected in the CyberArk Identity configuration in the Cloud. The
last connection result should show as successful.
page 53
2/27/2023
Note: You may receive a connection error at this point. Occasionally, the installation
process does not release the ports used during the installation process. A reboot will correct this.
11. Now log in to the Identity Portal with your admin user, go to Identity
Administration | Settings | Network and confirm your directory forest and
connector hostname are present.
12. Restart the server.
13. Check that the new service is running. You should now have five CyberArk services up and
running.
page 54
2/27/2023
Configure Identity MFA

In this section, we will create a profile for multi-factor authentication using a password and an
email notification as the two factors. We will then create a new, dedicated authentication policy for
CyberArk Identity and apply this profile to it. In this way, all authentication to our CyberArk
systems will require 2FA.
1. Login to Identity and go to Identity Administration > Settings > Authentication >
Authentication Profiles.
2. Click on Add Profile.
3. Name the new profile MFA Profile. Enable Password for Challenge 1 and Email
confirmation code for Challenge 2. Click OK when you are finished.
page 55
2/27/2023
4. Now go to Core Services > Policies and click Add Policy Set.
5. Under Policy Settings, name the new Policy MFA Policy and check the button for
Specified Roles. This will allow you to add new roles to the policy. Click the Add
button.
page 56
2/27/2023
6. Check the boxes for the four following Privilege Cloud built-in roles and click Add.
 Privilege
PrivilegeCloud
CloudAuditors
 Privilege Cloud Safe Managers
 Privilege Cloud
Tip: You can enter the string ‘privilege’ in the search field to reduce the number of
options.
page 57
2/27/2023
Note: For each of these roles, there are three versions: the plain one (e.g. Privilege Cloud Users), a Basic ve
version, as shown in the image above.
7. Still under MFA Policy, select Authentication Policies tab and then CyberArk
Identity.
8. Set Enable authentication policy controls to Yes.
9. Then change the Default Profile to MFA Profile. Make sure to click Save when you are
done.
page 58
2/27/2023
page 59
2/27/2023
Deploy the Unix Connector (PSM for SSH)

In this section we will install the PSM for SSH, which enables users to connect to target UNIX
systems from their own workstations without interrupting their native workflow. To do so, we will
use the deployment script that is provided by CyberArk and which you can download from the
Marketplace.
Copy the PSM for SSH Installation package to the Server
We will first extract the installation files and then copy them over to the unix-connector
server, which is where we will install PSM for SSH.
1. Login to VM 02 - connector1 as Mike / Cyberark1.
2. Open the Windows explorer and navigate to c:\CyberArkFiles\InstallationFiles.
3. Right-click on the PrivilegedSessionManagerSSHProxy-RHELinux-Intel64-

Rls-
4. Click on Extract to extract the PSM for SSH installation to the suggested folder.
page 60
2/27/2023
5. Go to C:\CyberArkFiles\InstallationFiles\psmpwiz-main and copy the file named

psmpwiz1300.sh. Paste this file into the folder you just extracted C:\CyberArkFiles\
InstallationFiles\PrivilegedSessionManagerSSHProxy-RHELinux- Intel64-Rls-v13.0
6. Now open WinSCP (you have a shortcut in the taskbar).
page 61
2/27/2023
7. Connect to the PSM-SSH machine (10.0.0.4) as root (password is Cyberark1).
8. In the right-hand pane, you should be in the root user’s home directory: /root. In the left-
hand pane, locate the newly extracted directory – c:\CyberArkFiles\InstallationFiles\
PrivilegedSessionManagerSSHProxy-RHELinux- Intel64-Rls-v13.0 – and drag and
drop it into the /root directory on the PSM-SSH machine, as shown in the image below.
You can use drag and drop.
9. When the file transfer is finished, you can close WinSCP.
page 62
2/27/2023
Install PSM for SSH
1. Open PuTTy (you have a shortcut in the taskbar).
2. Connect to the PSM-SSH server (10.0.0.4) as root with the password Cyberark1.
3. Change directory to /root/ PrivilegedSessionManagerSSHProxy-RHELinux-Intel64-

Rls-v13.0.
4. We need to make the script executable, so run the following command:
5.chmodRun thepsmpwiz1300.sh
755 list command to verify that your script is indeed executable.
ls -al
page 63
2/27/2023
6. Now run the script.
7../psmpwiz1300.sh
The script will first try to connect to GitHub to find a more recent version.
8. Next, you will be prompted for the Vault Address. This is the same address we used
when deploying the connector on the Windows server and is in the format:
vault-{subdomain}.privilegecloud.cyberark.cloud
Where {subdomain} corresponds to your environment. For example:
vault-acme-emea-09.privilegecloud.cyberark.cloud
page 64
2/27/2023
9. You will be asked to confirm the address. Enter y and hit Enter.
10. You will then be prompted to perform a connectivity test. Enter y and hit Enter.
11. If the connectivity test is successful, you will be prompted for the Privilege Cloud
Install Username. This is the same installer user that we used earlier. Copy the
information from your notepad file and hit Enter.
12. When prompted, copy and paste the installer user password and hit Enter.
13. You are then asked if you want to validate those credentials. Enter y and hit Enter.
14. Lastly, copy and paste the Portal URL from the Notepad file, but without the https://.
15. If the validation is successful, the installation process will begin. This will take a
couple of minutes, so please wait while the PSM for SSH is installed.
page 65
2/27/2023
16. You will see a message when the installation completes successfully.
17. When the installation completes, you can close your Putty session.
page 66
2/27/2023
Verify all Components are connected to the Vault

In this section, we will verify that all the components we installed are connected to the
Vault. To do this, we will:
 Assign an administrator role to our user in Identity Administration.
 Log in the Privilege Cloud Web Portal, which is the cloud equivalent of the PVWA.
Assign an administrator role
We will first need to assign ourselves a role as an administrator in CyberArk Privilege Cloud.
1. Log in to Identity Administration and go to Core Services > Roles.
2. Click on Privilege Cloud Administrators > Members and then click the Add button.
3. Search for your user, tick the box next to it, and then click the Add button.
page 67
2/27/2023
4. You should see your user in the list of Members. Click the Save button to commit the
change.
5. You are now the administrator of your CyberArk Privilege Cloud.
Login to the Privilege Cloud Web Portal
1. Open a new tab in your browser and enter the address for your tenant:
https://{subdomain}.cyberark.cloud/privilegecloud
page 68
2/27/2023
You should be re-directed to the Privilege Cloud Portal, which for those familiar with
CyberArk PAM Self-Hosted solution is essentially the PVWA.
2. Click on System Health and verify that you have 1 user instance for the CPM and 2 user
instances for the PSM / PSM for SSH.
page 69
2/27/2023
Test Credential and Session Management

In this section, we will test credential and session management for both Windows and Linux
target machines, and make sure our components are working as expected.
Note: The following exercises are based on topics covered in the PAM or Privilege Cloud
Administration courses, which are a prerequisite to this course.
Test Credential Management (CPM)
1. If you are not still connected, log in to 02 - connector1 as Mike / Cyberark1.
2. Open Chrome and navigate to the Privilege Cloud portal URL assigned to you.
3. Login as the Privilege Cloud admin user.
4. Create a safe called TEST. We don’t need to assign any users to it, so just click the
Skip and create Safe button.
5. Onboard the following test accounts to the TEST safe:
Target Linux Target Windows

System Type *NIX Windows
Platform Unix via SSH Windows Server Local Accounts
Username root Administrator

Address 10.0.0.20 target-win.acme.corp
page 70
2/27/2023
Target Linux Target Windows

Password Cyberark1 Cyberark1
6. Confirm the CPM can verify and change the target Linux and target Windows
privileged accounts.
page 71
2/27/2023
Test Session Management (PSM and PSM for SSH)
Test PSM
1. Set Require privileged session monitoring and isolation in the Master Policy to
Active for all platforms.
2. Verify that you can launch a privileged session to both Target accounts (root and
Administrator). If prompted, enter a reason for accessing the account.
(Please note the connection to root on 10.0.0.4 may be slow. This is a Skytap issue.)
page 72
2/27/2023
Test PSM for SSH
1. Open PuTTy (you have a shortcut in the task bar).
2. Launch a privileged session to the target Linux machine as root (via PSM for SSH). Use
the following connection string:
<privileged cloud admin username>@root@10.0.0.20@unixconnector
page 73
2/27/2023
3. You will be prompted for your admin user password and then you will need to choose your
2FA authentication method – either 1. Click the link to authenticate, or 2. Enter code
manually. Choose an option and then authenticate according to the method chosen.
Again, the connection to 10.0.0.20 may be slow (after you have provided a reason for the
connection). Do not worry.
page 74
2/27/2023
The End
And that completes the installation and basic configuration of the CyberArk Privilege Cloud
solution integrated with the Identity Security Platform Shared Services.
page 75
2/27/2023

CPC Install Exercise Guide Ispss 20230227

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CPC Install Exercise Guide Ispss 20230227

Uploaded by

Copyright:

Available Formats

CyberArk Privilege Cloud

Install & Configure

INTRODUCTION TO PRIVILEGE CLOUD......................................................................................................... 10

GETTING TO KNOW THE ENVIRONMENT...................................................................................................................................................10

COPY THE TENANT INFORMATION TO THE SKYTAP VIRTUAL MACHINE....................................................................................................12

DEPLOY COMPONENTS USING CONNECTOR MANAGEMENT........................................................................26

DEPLOY THE MANAGEMENT AGENT..........................................................................................................................................................26

APPLY THE HARDENING GPO....................................................................................................................... 35

IMPORT THE CPM AND PSM HARDENING GPO........................................................................................................35

DEPLOY THE IDENTITY CONNECTOR............................................................................................................. 44

DOWNLOAD AND EXTRACTION..................................................................................................................................................................44

CONFIGURE IDENTITY MFA.......................................................................................................................... 55

DEPLOY THE UNIX CONNECTOR (PSM FOR SSH)...........................................................................................60

COPY THE PSM FOR SSH INSTALLATION PACKAGE TO THE SERVER.......................................................................................................60

ASSIGN AN ADMINISTRATOR ROLE.............................................................................................................................................................67

TEST CREDENTIAL AND SESSION MANAGEMENT..........................................................................................70

TEST CREDENTIAL MANAGEMENT (CPM).................................................................................................................70

6. You may need to adjust your bandwidth setting on slower connections.

1. From the Start Menu launch “Add a language.”

2. Click “Add a language.”

3. Select your language. Click Open.

4. Select your specific locality or dialect. Click Add.

Introduction to Privilege Cloud

Getting to Know the Environment

Host name IP Address Operating system Role

dc01 10.0.0.1 Windows 2019 Domain controller

connector1 10.0.20.1 Windows 2019 CyberArk Connector server

unixconnector 10.0.0.4 CentOS Linux 7 CyberArk Unix Connector

target-win 10.0.21.1 Windows 2019 Target Windows server

target-lin 10.0.0.20 CentOS Linux 7 Target Linux server

Host name IP Address Operating system Role

Firewall NA FreeBSD Restricting traffic to the

 Copy the tenant information to the Skytap virtual machine

Copy the tenant information to the Skytap virtual machine

You should still be logged in to VM 02 - connector1 as Mike / Cyberark1.

4. Select the option to authenticate by email and click Send me an email.

Set the password for the Identity installer user

Once again, it is recommended

1. You should be logged into Windows on VM 02 - connector1 as Mike / Cyberark1.

2. Open Chrome (you have a shortcut in the taskbar).

Run the prerequisites script

1. If you are not already, login to VM 02 - connector1 server as Mike (password is

4. Now run script with this command:

 Portal URL (https://acme-{you}.cyberark.cloud)

* Remember: This URL will depend on your environment.

10. You will be prompted to enter your InstallerUser credentials.

11. At the end of the test, you will be prompted to continue.

14. Navigate to the folder

16. Now run script with this command:

17. Enable the Secondary Logon service by entering 2.

18. The Secondary Logon service is now enabled.

Deploy Components Using Connector Management

 Deploy the Management Agent

 Deploy the CPM and

3. No connectors are currently installed. Click on Add a Connector.

Deploy the Privilege Cloud Components – CPM and PSM

The process is performed using the Connector Manager command-line wizard.

Selecting which Components to install

2. Login using your Privilege Cloud credentials.

5. Click on Add New Component.

7. We will do a production Production deployment. The POC install implements less

12. Restart the server.

Confirm the CPM and PSM were successfully installed