CyberArk University
Integrations
1
�Objectives
By the end of this session you will be able to:
▪ Describe ho Identity & Authentication functions in CyberArk.
▪ Integrate CyberaArk with the following external systems:
■ LDAP Integration
■ SMTP Integration
■ SNMP Integration
■ SIEM Integration
■ NTP Integration
2
�LDAP Integration
3
�Overview
▪ LDAP integration allows an organization to automate user provisioning and
to separate Vault Admins from I&A functions.
▪ Users are transparently provisioned in the Vault with their user information
(full name; email address), and their security information (such as groups).
4
�LDAP Integration (1)
▪ Prepare the LDAP server:
■ Create an LDAP Bind account with READ ONLY access to the directory.
• Have the User Name, Password, and DN available.
■ Create three LDAP groups that will be used for Vault access.
LDAP Group Vault Group
CyberArk Administrators Vault Admins
CyberArk Auditors Auditors
CyberArk Users No mapping to any Vault
group
5
�LDAP Integration (2)
▪ Configure the LDAP connection to the external directory.
6
�LDAP Integration (3)
▪ Configure the LDAP connection to the external directory.
■ Test the connection using the Test button.
7
�LDAP Integration (4)
▪ Configure the LDAP connection to the external directory.
▪ Configure typical CyberArk roles based predefined directory maps
(optional).
8
�Directory Mapping
▪ A Directory Map determines whether a User Account or Group may be
created in the Vault, and the roles they will have.
• User Mapping – allows for authentication and defines user’s attributes,
such as Vault Authorizations and Location.
• Group Mapping – makes LDAP groups searchable from within CyberArk,
allowing mapped groups to be granted safe authorizations and to be nested
within built-in CyberArk groups.
9
�Predefined Directory Maps
▪ When the first directory is configured using the setup wizard, predefined
directory mappings are created automatically with standard Vault
Authorizations and nested group settings for: CyberArk Users, Vault
Admins, and Auditors.
▪ You can use these directory maps immediately, modify them with relevant
mapping rules, or create new directory maps using the PrivateArk Client.
10
�Vault Admins (1)
▪ After completing the configuration using the Wizard:
■ the AD group CyberArk Vault Admins will be created in the Vault and nested
under the internal Vault Admins group.
11
�Vault Admins (2)
▪ After completing the configuration using the Wizard:
■ the AD group CyberArk Vault Admins will be created in the Vault and nested
under the internal Vault Admins group.
■ LDAP users who are members of CyberArk Vault Admins will be able to
authenticate to CyberArk using LDAP authentication.
12
�Vault Admins (3)
▪ After completing the configuration using the Wizard:
■ the AD group CyberArk Vault Admins will be created in the Vault and nested
under the internal Vault Admins group.
■ LDAP users who are members of CyberArk Vault Admins will be able to
authenticate to CyberArk using LDAP authentication.
■ LDAP users who are members of CyberArk Vault Admins will receive all vault
authorizations based on the User Template in the directory mapping.
13
�Vault Admins (4)
▪ After completing the configuration using the Wizard:
■ the AD group CyberArk Vault Admins will be created in the Vault and nested
under the internal Vault Admins group.
■ LDAP users who are members of CyberArk Vault Admins will be able to
authenticate to CyberArk using LDAP authentication.
■ LDAP users who are members of CyberArk Vault Admins will receive all vault
authorizations based on the User Template in the directory mapping.
■ LDAP users who are members of CyberArk Vault Admins will will be able to see
the ADMINISTRATION Tab in the PVWA.
14
� Transparent User Management
▪ When users authenticate through LDAP for the first time they are
provisioned automatically in the Vault.
▪ LDAP Users and Groups that have been created in the Vault are marked
with the LDAP User or Groups icon.
▪ If you delete a user within CyberArk, it will be automatically re-created upon
login if it still exists within AD.
To permanently delete a user,
it would have to be removed
from all groups that have a
directory mapping or deleted
from the external directory
15
�LDAP Synchronization
▪ The Vault can be synchronized with the External Directories so that changes
made to External User properties can be updated automatically in the Vault.
▪ The relevant parameters are configured in the dbparm.ini file.
AutoSyncExternalObjects=Yes,24,1,5
Whether or not The hours
The number of
to sync with the during which
hours in one
External the sync will
period cycle
Directory take place
16
�SMTP Integration
17
�SMTP Integration
Email integration is critical for monitoring vault activity and facilitating workflow
processes:
■ Dual control messages and notifications
■ Password verification errors
■ Password change failures
■ Advanced notice for password change
• Messages triggered as heads-up notification before passwords expire.
■ New/Modified Password
• Will trigger messages to Safe Owners upon arrival of newly created or
updated Passwords.
18
� Notification Flow Examples
IT user requests access to
account using PVWA
Vault
SMTP
Server
Port: 25
ENE
CPM fails to
verify password
19
�SMTP Setup
Email integration Prerequisites:
▪ Have the IP address of the SMTP Gateway Available.
▪ Ensure that any necessary firewall rules or ACLs allow communications from
the Vault Servers to the SMTP Gateway.
20
�SMTP Setup
21
�SMTP Setup
22
�SMTP Setup
23
�Confirmation Email
24
�Monitoring the ENE
▪ Log Files
■ Stored on the Vault Server under
Program Files\PrivateArk\Server\ENE\Logs
■ ENEConsole.log – System Status Log
■ ENETrace.log – Messages and errors about activities of the ENE.
• Amount of trace information detail is controlled in the
EventNotificationEngine.ini
▪ Event Viewer
■ Service level events and errors
▪ Remote Control Client
25
�SNMP Integration
26
�Purpose
▪ We recommend not installing any third-party monitoring agents. CyberArk
can send status information to your monitoring solution using SNMP.
▪ SNMP traps can be sent from the Vault to monitoring solutions using the
Remote Control Agent
Prerequisites:
▪ Configure Remote Control Agent
▪ Have IP Addresses of all servers that can accept SNMP traps available.
▪ Have Community String available.
27
� SNMP Setup
▪ paragent.ini defines:
■ Information to be send via SNMP traps
■ Location of SNMP trap receiver
[MAIN]
RemoteStationIPAddress=10.0.0.3
UserCredentialsPath="C:\Program Files (x86)\PrivateArk\Server\ParAgent.pass"
RemoteAdminPort=9022
ExtensionComponentList="C:\Program Files (x86)\PrivateArk\Server\PARVaultAgent.dll,C:\Program
Files (x86)\PrivateArk\Server\PARENEAgent.dll"
AllowedMonitoredServices="PrivateArk Database,CyberArk Logic Container"
SNMPTrapsThresholdCPU=200,90,3,30,YES
SNMPTrapsThresholdPhysicalMemory=200,90,3,30,YES
SNMPTrapsThresholdSwapMemory=200,90,3,30,YES
SNMPTrapsThresholdDiskUsage=200,85,3,30,YES
SNMPTrapsThresholdServiceStatus=200,3,30,YES
LogMessagesFilterRegexp=.*
ExludedLogMessagesFilterRegexp=(ITA|PARE|PADR|CAS).*I
SNMPHostIP=10.0.1.1
SNMPTrapPort=162
SNMPCommunity="public"
28
�SNMP Setup
▪ Restart Remote Control Agent
29
�SIEM Integration
30
�SIEM Integration
SIEM Integration is a powerful way to correlate Privileged Account Usage
with Privileged Account Activity.
▪ Have IP addresses of all servers that can accept SYSLOG information
available.
▪ Have a resource from the team responsible for SYSLOG servers
available.
31
�SIEM Setup
▪ We will be sending Audit log information to the SIEM.
▪ Rename one of the sample translator files
■ Translator files translate CyberArk logging format into the SIEM logging
format
■ These five files will cover the most commonly deployed SIEM systems
32
�SIEM Setup
▪ Add SYSLOG configuration to the dbparm.ini file.
[MAIN]
TasksCount=20
DateFormat=DD.MM.YY
TimeFormat=HH:MM:SS
ResidentDelay=10
BasePort=1858
LogRetention=7
LockTimeOut=30
DaysForAutoClear=30
DaysForPicturesDistribution=Never
ClockSyncTolerance=600
…
AllowNonStandardFWAddresses=[10.0.0.3],Yes,3389:outbound/tcp,3389:inbound/tcp
ComponentNotificationThreshold=PIMProvider,Yes,30,1440;AppProvider,Yes,30,1440;OPMProvider,Yes,30,1440;CPM,Yes
,720,1440;PVWA,Yes,90,1440;PSM,Yes,30,1440;DCAUser,Yes,60,2880;SFE,Yes,10,2880;FTP,Yes,60,2880;ENE,Yes,60,360
[BACKUP]
BackupKey=C:\PrivateArk\Keys\Backup.key
[CRYPTO]
SymCipherAlg=AES-256
ASymCipherAlg=RSA-2048
[SYSLOG]
SyslogTranslatorFile=Syslog\ArcSight.xsl
SyslogServerIP=10.0.255.222
SyslogServerPort=514
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=0-999
SyslogSendBOMPrefix=NO
33
�SIEM Setup
▪ Restart PrivateArk Server Service
34
�NTP Integration
35
�NTP Integration
NTP integration can be important in environments where CyberArk is one of
many system producing security logs, so that times between all security
devices will correlate.
Prerequisites:
▪ IP Address of the Network Time Server.
36
�NTP Integration
▪ Create a firewall exception in DBParm.ini to allow the vault to communicate
on the NTP port (123).
[NTP]
AllowNonStandardFWAddresses=[10.0.1.1],Yes,123:outbound/udp,123:inbound/udp
37
�NTP Integration
▪ Set a special time skew to prevent very large changes to the system clock.
HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Period=65532
38
�Summary
39
�Summary
This session has covered:
▪ LDAP Integration
▪ SMTP Integration
▪ SNMP Integration
▪ SIEM Integration
▪ NTP Integration
40
�Thank You
41
