PAM Administration

PAM Self-Hosted Architecture

© 2023 CyberArk Software Ltd. All rights reserved

 In this session, we will look at:

• The PAM Self-Hosted system architecture

• How to locate and manage the local services,

configuration files, and logs for the various

Agenda
PAM Self-Hosted components

• How to locate and manage the built-in Safes and

users for the various PAM Self-Hosted components

• The internal integration and communication between

the various PAM Self-Hosted components and the
Vault

© 2023 CyberArk Software Ltd. All rights reserved

 System Architecture Review

© 2023 CyberArk Software Ltd. All rights reserved

 What is PAM Self-Hosted?
PAM Self-Hosted
PAM solution when all of its components are owned and operated by the customer
An entirely on-premises An entirely cloud-based deployment A hybrid deployment in which
installation of the Vault and where the Vault and components some components are in the Cloud
all the different components are deployed to one of the and others, very often the Vault,
supported Cloud platforms are installed on-premises.

CyberArk Privilege Cloud – PAM as SaaS

The Privileged Access Manager is delivered as Software as a Service

© 2023 CyberArk Software Ltd. All rights reserved

 PAM Self-Hosted Components
• A secure server used to store privileged account information.
Secure Digital Vault
• Based on a hardened Windows server platform.

Password Vault Web • The web interface for users to gain access to privileged account information.
Access (PVWA) • Used by Vault administrators to configure policies.

Central Policy Manager • Performs the password changes on devices.

(CPM) • Scans the network for privileged accounts.

Privileged Session • Isolates and monitors privileged account activity.

Manager (PSM) • Records privileged account sessions.

Privilege Threat
• Monitors and detects malicious privileged account behavior.
Analytics (PTA)

© 2023 CyberArk Software Ltd. All rights reserved

 CyberArk’s Scalable Architecture

Auditors PVWA

PTA CPM PSM

IT

Vault (HA Cluster)

IT Environment
Main Data Center - US

Auditors/IT Auditors/IT

IT Environment IT Environment

London Hong Kong

DR Site

© 2023 CyberArk Software Ltd. All rights reserved

 Component Local Environment

In this section we will look at the main services,

configuration files, and logs for each of the following
components:

• Vault

• CPM

• PVWA

• PSM

© 2023 CyberArk Software Ltd. All rights reserved

 Inside the Vault

© 2023 CyberArk Software Ltd. All rights reserved

 Vault Services

Services Post Installation and Hardening

Services before Vault installation

• Total number of
previously running
services has been
reduced as part of
the hardening
process
• Vault installation has
added 6 new
services

© 2023 CyberArk Software Ltd. All rights reserved

 Vault Firewall
Firewall before Vault installation

Firewall Post Hardening

All Firewall Rules that do not relate to

CyberArk have been deleted, both inbound
and outbound.

© 2023 CyberArk Software Ltd. All rights reserved

 Vault Main Configuration Files

• Main configuration file of the Vault

dbparm.ini
• Any change requires a restart of the Vault service

passparm.ini • Configure password policy for users of the Vault

• Configure Remote Control Agent in the Vault

PARagent.ini
• SNMP Configuration

tsparm.ini • Configure the physical disks used to store Vault data

© 2023 CyberArk Software Ltd. All rights reserved

 dbparm.ini
dbparm.ini:
Current Vault configuration file,
contains parameters for Log Level,
Server Key, Syslog, Timeouts,
Recovery Key, etc.

DBPARM.sample.ini:
Contains all the possible
configuration options. Full info on
these parameters is contained in
the PAM documentation.

dbparm.ini.good:
Contains the last known working
configuration of the dbparm.ini file.
Created automatically when the
Vault server starts up.
© 2023 CyberArk Software Ltd. All rights reserved
 Vault Log Files

Italog.log • Main log file of the Vault server.

• Trace file of the Vault.

Trace.d0 • It is detailed according to the debug level configured in the
dbparm.ini.

© 2023 CyberArk Software Ltd. All rights reserved

 Inside the PVWA

© 2023 CyberArk Software Ltd. All rights reserved

 PVWA Service
IIS Services
As the PVWA is a web
application running on IIS, you
can control it through the
IIS Manager interface or use the
command line by running:

iisreset /restart

or

iisreset /status

to check status of website

© 2023 CyberArk Software Ltd. All rights reserved

 PVWA Directories
IIS Folder

• PVWA application files are

located at:

C:\Cyberark\Password
Vault Web Access\

• Web page: IIS Virtual Folder

- PasswordVault

© 2023 CyberArk Software Ltd. All rights reserved

 PVWA Log
Location
• Default log file location:

%windir%\temp\PVWA\.

• Can be changed by going to

the PasswordVault folder
under IIS, opening the file
web.config, and modifying the
"LogFolder" parameter

© 2023 CyberArk Software Ltd. All rights reserved

 Inside the CPM

© 2023 CyberArk Software Ltd. All rights reserved

 CPM Services
The CPM server has two main services:

The CyberArk Central Policy

Manager Scanner is the
scanner for the Accounts Feed
workflow.

The CyberArk Password

Manager service is a batch
processor that connects to the
Vault looking for work to do
and kicks off the necessary
processes to complete that
work.

© 2023 CyberArk Software Ltd. All rights reserved

 CPM Directories
bin –
Contains all the files required to
run the CPM and the change
password processes on target
machines
Logs –
Contains CPM activity log files
tmp –
Contains files that are used by
the CPM for internal processing
Vault –
Contains the configuration that
tells the CPM where to find the
vault and how to connect

© 2023 CyberArk Software Ltd. All rights reserved

 Log Files
• pm.log – contains all the log messages, including general and informative
Activity Logs messages, errors, and warnings.
(Logs folder)
• pm_error.log – contains only warning and error messages.

• Generated by the CPM’s password generation plug-ins when an error occurs

Third-party Log Files • Name of the log file:
(Logs\ThirdParty folder) <type of password>-<Safe>-<folder>-<name of password object>.log
E.g., Operating System-UnixSSH-1.1.1.250-Root.log

• After a log file has been uploaded into the Safe, it is renamed and moved
History Log Files into the History subfolder.
(Logs\History folder) • The file is marked with a time stamp and renamed as follows:
<filename> (<date>-<time>).log

© 2023 CyberArk Software Ltd. All rights reserved

 Inside the PSM

© 2023 CyberArk Software Ltd. All rights reserved

 The PSM Service

© 2023 CyberArk Software Ltd. All rights reserved

 PSM Directories
In the PSM directory you'll find all
the configuration files, logs, and
connectors that allow end users
to connect to target systems.
Some key files are:
Components
Logs
Recordings
Temp
Vault
• Provides
CAPSM.exe
Stores
Contains thethe
files
session
PSM
main– The
that are
with PSM
activity
PSM
recordings
used
the
configuration
logbyfiles
the
service
files
temporarily
PSM
information
and executable.
for internal
all until
required
the executable
they
processing.
to
are
loguploaded
into
filesthe to
• Vault
required
the Vault.toDuring
run the
Basic_psm.ini installation,
–PSM
The main the
service user is given write
PSM configuration file that
permissions on this folder.
contains the information
required to start the PSM
(cred file locations, Safe
names).

© 2023 CyberArk Software Ltd. All rights reserved

 PSM Logs
All activities that are carried out by the PSM are written to log files and stored in the Log subfolder
of the PSM installation folder

PSMConsole.log • Contains informational messages and errors that refer to PSM function.

• Contains errors and trace messages related to the PSM Recorder that
<SessionID>.Recorder.log
can be used for troubleshooting with session video recordings. The types
of messages that are included depend on the debug levels specified in
the Recorder settings of the PSM configuration.

<SessionID>.<connection • Contains errors and trace messages related to the connection client that
client >.log can be used for troubleshooting.

© 2023 CyberArk Software Ltd. All rights reserved

 PSMConnect and PSMAdminConnect Users
PSMConnect and PSMAdminConnect are local users on the PSM server.

PSMAdminConnect is used
by Auditors when connecting
via RDP to the PSM to monitor PSMConnect is used when an
other users’ RDP connections. end user launches a connection
to a target system via PSM.

© 2023 CyberArk Software Ltd. All rights reserved

 PSMConnect and PSMAdminConnect
The credentials for the PSMConnect and PSMAdminConnect users are stored as accounts in
the Vault and should be managed in the same way any other account.

© 2023 CyberArk Software Ltd. All rights reserved

 PSM
Shadow Users
• When a Vault user launches a
session via the PSM for a non-
RDP connection (e.g., SSH) for
the first time, a shadow user is
created for the user on the
PSM server.
• This shadow user launches the
application needed for the
connection (Putty in the case
of an SSH connection).
• The credentials for these users
are reset with every
connection.

© 2023 CyberArk Software Ltd. All rights reserved

 PSM Users Summary

RDP file PuTTy

PVWA

ssh root@target-lin

RDP using PSMConnect

ShadowUser
Carlos

Carlos
Linux Administrator

Cindy
Auditor
TARGET-LIN

PSM

RDP using PSMAdminConnect PSMGW

VAULT

© 2023 CyberArk Software Ltd. All rights reserved

 Internal Safes and Users

In this section we will look at the Internal safes

and users created in the Vault for each
component:

• Vault

• CPM

• PVWA

• PSM

© 2023 CyberArk Software Ltd. All rights reserved

 Vault Internal Safes

The three internal safes created

during the Vault installation are:
• Notification Engine:
used by the ENE service

• System:
contains the file links for
dbparm.ini, etc.

• VaultInternal:
contains configuration data for
CyberArk LDAP integration

© 2023 CyberArk Software Ltd. All rights reserved

 The System Safe

• The Vault’s main configuration

files and logs can be accessed
in the System Safe from
remote stations using the
PrivateArk Client
• A new License.xml file can be
copied into this Safe to update
the license without the need to
restart the Vault service

© 2023 CyberArk Software Ltd. All rights reserved

 CPM Internal Safes
The installation of the first CPM
will create 8 Safes:
• PasswordManager
• PasswordManager_Accounts
• PasswordManager_ADInternal
• PasswordManager_info
• PasswordManager_Pending
• PasswordManager_workspace
• PasswordManagerShared
• PasswordManagerTemp
Additional CPMs will share some
Safes and create some additional
new ones.

© 2023 CyberArk Software Ltd. All rights reserved

 CPM Vault User

Tools > Administrative Tools >

Users and Groups
• By default, the first CPM user’s
name is PasswordManager
• When creating a new Safe
through the PVWA, the CPM
user is automatically added to
the Safe

© 2023 CyberArk Software Ltd. All rights reserved

 PVWA Safes
• PVWAConfig – configuration settings
for PVWA
• PVWAPrivateUserPrefs – user
preference settings
Note: The above two safes should not
be accessed directly
• PVWAPublicData – contains the help
documents that can be accessed in the
PVWA
• PVWAReports – completed reports
• PVWATaskDefinitions – report
definitions
• PVWATicketingSystem – information
on integrations with third-party ticketing
systems
• PVWAUserPrefs – Changes to
individual user preferences

© 2023 CyberArk Software Ltd. All rights reserved

 PVWA Vault Users
and Groups
Tools->Administrative Tools-
>Users and Groups
• PVWAAppUser is used by the
Password Vault Web Access
for internal processing
• PVWAGWUser is the gateway
user through which other users
will access the Vault

© 2023 CyberArk Software Ltd. All rights reserved

 PSM Safes
• PSM – contains the password objects
for PSMConnect and
PSMAdminConnect.
• PSMLiveSessions – allows users to
monitor live sessions
• PSMNotifications – allows users to
terminate, suspend, or resume
sessions.
• PSMRecordings – default safe for
storing recordings.
• PSM Sessions – allows users to
launch sessions via PSM
• PSMUniversalConnectors – used in
auto deployment for PSM connectors to
multiple PSMs.
• PSMUnmanagedSessions – allows
users to monitor live Ad-hoc sessions

© 2023 CyberArk Software Ltd. All rights reserved

 PSM Vault Users
PSMApp_<MachineName>
• Used by the PSM for internal processing
• The credential file for this user is stored
on the PSM server in a file named
psmapp.cred
• This user is added automatically to the
PSMAppUsers group

PSMGW_<MachineName>
• This is the Gateway user through
which the PSM will access the Vault to
retrieve the target machine password
• The credential file for this user is
stored on the PSM server in a file
named psmgw.cred
• This user is added automatically to
PVWAGWAccounts group. Being a
member of this group enables this
user to access all password Safes
© 2023 CyberArk Software Ltd. All rights reserved
 PSM Vault Groups
PSMAppUsers
• This group is used to retrieve
configuration data from the Vault,
create Recording Safes, upload
recordings, and perform other PSM
activities
PSMLiveSession
Terminators
• Members of this group can
terminate, suspend, and resume live
sessions
PSMMaster
• This group manages the Safes where
recordings are stored.
• It is added to the Recordings Safes
with all authorizations
© 2023 CyberArk Software Ltd. All rights reserved
 Internal Communication

In this section we will look at how

Components communicate with the Vault
and each other:

• Direct communication with the Vault

• Communication with the Vault using

REST/API

© 2023 CyberArk Software Ltd. All rights reserved

 Direct Communication
With the Vault

© 2023 CyberArk Software Ltd. All rights reserved

 Connecting to
the Vault
Privileged Session

• Components communicate
Manager

with the Vault using the Password Vault

CyberArk proprietary protocol Web Access
Central Policy
on port 1858 Manager

• Components must first Replicate

authenticate to the Vault each
time they are started Vault
• Each Component has a User
ID and password stored in a Unix/Windows
PrivateArk Client
“credential file” Application
Providers
Privileged Threat
Analytics

© 2023 CyberArk Software Ltd. All rights reserved

 CPM Example
Vault Address
and Credentials
• Components communicate
with the Vault using the
following configuration files:
⎼ Vault.ini
⎼ Cred File
• The Vault.ini file contains the
Vault address and port
• The cred file contains the user
name and a hash of the
password used to authenticate
to the Vault

© 2023 CyberArk Software Ltd. All rights reserved

 CPM Example
Vault Credential Files
• When the CPM authenticates
to the Vault, it uses the CPM Server

credentials stored in the file

user.ini (the cred file): PasswordManager/******

⎼ The CPM username CPM Service

⎼ A hash of the password

• After the CPM successfully
authenticates, the password
in the Vault and cred file are Cred File
rotated

© 2023 CyberArk Software Ltd. All rights reserved

 Communicating With
the Vault Via REST

© 2023 CyberArk Software Ltd. All rights reserved

 Component Internal Communication
Historically, components
communicated directly with
the Vault using the Managed Target
Central Policy
Accounts and Servers 1858
CyberArk proprietary Manager

protocol (over port 1858).

Vault
1858

Password Vault
Web Access

HTTPS

Vault Administrators
© 2023 CyberArk Software Ltd. All rights reserved
 Component Communication – REST First
• As we move towards
“REST first”, new
functionalities use REST Managed Target
Central Policy
Accounts and Servers
Manager
instead of the CyberArk
proprietary protocol.
• Components communicate REST

with the PVWA over REST,

Vault
and the PVWA performs 1858

the actions on the Vault.

Password Vault
Web Access

HTTPS

Vault administrators
© 2023 CyberArk Software Ltd. All rights reserved
 API Address
and Keys
• When using REST to
communicate with the Vault,
components use the following
configuration files:
⎼ Vault.ini
⎼ ApiKey file
• The Vault.ini file contains the
API address (PVWA)
• The ApiKey file contains the
private key used to
authenticate to the Vault via
REST

© 2023 CyberArk Software Ltd. All rights reserved

 CPM Example
API Keys
• An asymmetric key pair is
used to provide a secure way CPM Server
for automated API calls and
scripts, as well as CyberArk
clients, to communicate with PasswordManager/******
the Vault. Password Vault
CPM Service
• The private key is stored Web Access

locally for use by the script or

CyberArk client, while the
public key is stored in the
Vault.
ApiKey File
• Both keys are associated with
a username that was
previously created in the Vault
and used for API
authentication.
© 2023 CyberArk Software Ltd. All rights reserved
 Summary

© 2023 CyberArk Software Ltd. All rights reserved

 Summary
In this session we discussed:

• The system architecture

• The local services, configuration files,

and logs for the PAM Self-Hosted
components

• The built-in Safes and users of the

various components

• The internal integration and information

flow among the PAM Self-Hosted
components

© 2023 CyberArk Software Ltd. All rights reserved

 Documentation

Additional
Resources CyberArk Digital Vault
Security Standards

Security Fundamentals for PAM