PAM Implementation

Vault

Prerequisites

1. Install Visual C++ x86 & Visual C++ x64 2015

2. Install .NET Framework 4.8 and restart the machine.
3. Make sure the Vault is not in any of the domain group.

Installation

1. Extract Server-Rls-v13.0
2. Run the setup file
3. Select Standalone Installation
4. Default Installation Location C:\Program Files (x86)\PrivateArk
5. Storage location for Safes C:\PrivateArk\Safes
6. Enter the License file location C:\Users\Administrator\Downloads\CYBR_Files\Vault License &
Operator Keys\License
7. Enter the Operator CD location. It should contain Server key, Public key & Initial random data file
C:\Users\Administrator\Downloads\CYBR_Files\Vault License & Operator Keys\Operator CD
8. Skip Remote Control Agent as of now
9. Skip Distributed Vault platform
10. Make sure you Do not harden the machine
11. Give the default Program Folder name i.e. CyberArk Digital Vault
12. Enter the passwords for Master user and Administrator user
13. Select NO, I will restart my computer later.

PrivateArk Client Installation

00:0C:29:CC:BB:0D

00:0C:29:C5:7C:51

1. Extract Client-Rls-v12.6
2. Go to the C:\Users\Administrator\Downloads\CYBR_Files\Vault\Client-Rls-v12.6\Client\ and run
the setup file
3. Accept the License
4. Give your Company name
5. Default Installation Location C:\Program Files (x86)\PrivateArk
6. Select the client Setup type as Typical
7. Give the default Program Folder name i.e. PrivateArk
8. Select Yes for specifying the Vault details
 9. Enter the details of Vault server, specifying default user name is optional. Click OK
10. Click OK and select Yes, I will restart my computer now
11. Open the PrivateArk server.
12. Open the PrivateArk Client and logon with Administrator user.
13. Check whether the default Safes Notification engine, System and VaultInternal have been
created or not.
Note: To login with Master User:
a) On the Vault Server edit the “C:\Program Files (x86)\PrivateArk\Server\Conf\
DBParm.ini”.
b) In order to use the Master user, the dbparm.ini file must point to the location of the
Recovery Private Key.
c) Update the “RecoveryPrvKey” parameter to point to the location of the file called
“RecPrv.key” in the Master CD.

Before moving to next steps make the existing server as the Domain joined server.

1. Press Windows + R
2. Click ncpa.cpl
3. Right Click the Ethernet and select properties,
4. Select Internet Protocol Version 4 (TCP/IPv4).
5. Click on Properties.
6. Click on Advanced.
7. Select DNS tab.
8. Click on Add and give the Active Directory machine IP address.
9. Now Click on File Manager > This PC.
10. Right click and select properties.
11. Under Computer name and Workgroup settings, click on Change settings.
12. Click on change besides to remain this computer or change its domain to workgroup.
13. Under Member of click on Domain and give the AD server address.
14. It prompts for the username and password to enter into the domain.
15. Enter the username and password and click ok, it asks for restart click again on ok and
restart now.
16. Now go to the AD machine and create a user with the name pamadmin.
17. Now login with the administrator in the components machine and add the pamadmin user
to the Administrators group.
18. Click on Windows -> Windows Administrative tools -> Computer Management -> Local Users
and Groups -> Groups
19. Double click on Administrators and click on add, it will ask for the credentials for an account
with permissions for security.com domain, then enter the domain administrator credentials.
20. Now check for pamadmin user and click on ok.
21. Now you can login with the pamadmin user to the components machine.

Password Vault Web Access

Installation

1. Login with domain user security\pamadmin

2. Extract the file Password Vault Web Access-Rls-v13.0
3. Go to the C:\Users\pamadmin\Downloads\CYBR_Files\Password Vault Web Access\Password
Vault Web Access-Rls-v13.0\InstallationAutomation and open the Windows PowerShell and run
the following commands
Get-ExecutionPolicy (Result should be “Restricted”) (If it is RemoteSigned no need to run the
next command)
Set-ExecutionPolicy Bypass -Scope Process
4. Run the PVWA_Prerequisites.ps1 script
5. Now run the setup file
6. Click on Install for win visual c++ and click on yes.
7. Accept the License
8. Give your Company name
9. Default location for web application files C:\inetpub\wwwroot\PasswordVault
10. Default location for configuration files C:\CyberArk\Password Vault Web Access
11. Check the Install Full Password Vault Web Access
12. Select the Authentication type as Cyberark and LDAP and Default Authentication method as
None
13. Enter the details of the Vault server and note the default port and PVWA URL
14. Give the password for the Administrator user and Click on Finish.
15. Open Chrome and enter the previously noted PVWA URL and logon with the Administrator user

Privilege Session Manager

Installation

1. Login with domain user security\pamadmin

2. Extract the file Privileged Session Manager-Rls-v13.0
3. Open Windows PowerShell as Administrator. Change directories to C:\Users\pamadmin\
Downloads\CYBR_Files\Privileged Session Manager\Privileged Session Manager-Rls-v13.0\
InstallationAutomation
4. Execute the following commands
Get-ExecutionPolicy (Result should be “Restricted”) (If the result is RemoteSigned then no need
for executing the second step)
Set-ExecutionPolicy Bypass -Scope Process
5. Then launch the Execute-Stage.ps1 script with the location of the PrerequisitesConfig.xml as the
argument.
.\Execute-Stage.ps1 “C:\Users\pamadmin\Downloads\CYBR_Files\Privileged Session Manager\
Privileged Session Manager-Rls v13.0\InstallationAutomation\Prerequisites\
PrerequisitesConfig.xml”
6. Now the script asks for restart, please press enter
7. The PowerShell script will launch immediately to complete the prerequisite installation. Allow
the script to complete, then exit PowerShell.
 8. Review the PSMPrerequisites<date><time>.log file located in “C:\Windows\Temp directory”.
9. Open Server Manager and Refresh Server Manager immediately following the script completion
to see RDS services.
10. Now run the setup file
11. Click on Install for Microsoft Visual C++ 2015 Redistributable Package (x64 & x86)
12. Accept the License
13. Enter Company name
14. Default installation location C:\Program Files (x86)\CyberArk
15. Default location for temporary PSM Recordings storage C:\Program Files (x86)\CyberArk\PSM\
Recordings
16. Default Configuration Safe name PVWAConfig
17. Specify the Vault address
18. Enter the password for Vault server administrator
19. Enter the details of PVWA server
20. Uncheck the PKI authentication and harden the PSM server machine
21. Check the Yes, I will restart my computer now.
22. Open the services and check for the CyberArk Privilege Session Manager service

Central Policy Manager

Installation

1. Login as the domain user security\pamadmin

2. Extract the file Central Policy Manager-Rls-v13.0
3. Accept the License
4. Enter Company name
5. Default installation Directory C:\Program Files (x86)\CyberArk
6. Click on No Policy Manager was previously installed.
7. Enter the Vault server address
8. Enter the password for the administrator user in Vault server
9. Open the services and check for the CyberArk Central Policy Manager

LDAP Integration

Before starting the LDAP Integration there are few things that need to be done in Active Directory.

1. Firstly, create the CyberArk groups named CyberArk Admins, CyberArk Auditors, CyberArk Users
and CyberArk Safe Members to map to the CyberArk internal groups.
2. Create a bind user.
3. Now create few users and add them to the above created groups
4. Login to PVWA Console
5. In the Navigations pane click on User provisioning -> LDAP Integration
6. Click on New domain
 7. Click on Domain name
8. Unclick the Use Secure connection (SSL)
9. Specify the bind user name as bind@security.com and enter the password
10. Enter the domain base context as DC=security, DC=com
11. Check the Domain controller hostname displayed over there.
12. After the connection has established successfully now create the directory mapping
a) Vault Admins - CyberArk Vault Admins
b) Safe Managers - CyberArk Safe Managers
c) Auditors - CyberArk Auditors
d) Users - CyberArk Users
13. Click on Save.
14. Now try logging on to PVWA using any AD user that are mapped in the Directory Mapping.

Onboarding a Windows Server account

1. Open PVWA console

2. Click on Policies -> Master Policy
3. Select Require Users to specify reason for access and select inactive and save it.
4. Under Session Management, click on Require Privileges session monitoring and isolation and set
it as active and save.
5. Click on Administration -> Platform Management
6. Duplicate the Windows -> Windows Server Local Accounts
7. Click on Ellipses -> Duplicate Platform
8. Give the name of the Platform as Demo-Win
9. Click on Ellipses and click on Activate
10. In the navigation pane click on Policies -> Safes
11. Click on Create Safe
12. Give the name Safe name as Demo-WIN-Safe and click on next
13. Select the Safe members. Filter the source type as security.com(domain name), Member type as
Group and assign the permissions for CyberArk Users and click next
14. Set the Safe permissions as Connect only and click on Create Safe.
15. Now Click on Accounts -> Add Account
16. Select Windows ->Demo-WIN -> Demo-WIN-Safe
17. Enter the details of the target machine and specify the PSM machine IP address in Log on to field
18. Uncheck the Automatic Password change and click on Save.
19. Now in the accounts page for the administrator account it should show the Connect button.
20. Click on the Connect button it should directly connect to the target machine without asking for
the credentials.

Dual Control
Before setting it up follow the below steps(Optional)

1. Create two groups named CyberArk Requestors and CyberArk Approvers.

2. Add the users to the above created groups
3. Map the above created groups for the Directory mapping to the existing Domain in PVWA
4. Click on User provisioning -> LDAP Integration
5. Click on Add Mapping
6. Enter the Map name and select New map for both the group’s.
7. Enter the LDAP group’s
8. For Approvers set the vault authorizations of Activate users, Add/Update users, Audit users &
Reset users's password and click Next and Save.
9. For Requestors Add Safes and Add/Update users and click next and save
10. Now give this groups the permission to the Safe Demo-WIN-Safe.
11.