CyberArk PAM Self-Hosted Architecture PDF
Document Details
Uploaded by FancySarod
CyberArk University
2023
Tags
Summary
This document provides an overview of the CyberArk Privileged Access Management (PAM) Self-Hosted architecture. It describes the components, including the Vault, Central Policy Manager, and Privileged Session Manager. The document also covers the internal communication and configuration files essential for proper function.
Full Transcript
PAM Administration PAM Self-Hosted Architecture © 2023 CyberArk Software Ltd. All rights reserved In this session, we will look at: The PAM Self-Hosted system ar...
PAM Administration PAM Self-Hosted Architecture © 2023 CyberArk Software Ltd. All rights reserved In this session, we will look at: The PAM Self-Hosted system architecture How to locate and manage the local services, configuration files, and logs for the various Agenda PAM Self-Hosted components How to locate and manage the built-in Safes and users for the various PAM Self-Hosted components The internal integration and communication between the various PAM Self-Hosted components and the Vault © 2023 CyberArk Software Ltd. All rights reserved System Architecture Review © 2023 CyberArk Software Ltd. All rights reserved What is PAM Self-Hosted? PAM Self-Hosted PAM solution when all of its components are owned and operated by the customer An entirely on-premises An entirely cloud-based deployment A hybrid deployment in which installation of the Vault and where the Vault and components some components are in the Cloud all the different components are deployed to one of the and others, very often the Vault, supported Cloud platforms are installed on-premises. CyberArk Privilege Cloud – PAM as SaaS The Privileged Access Manager is delivered as Software as a Service © 2023 CyberArk Software Ltd. All rights reserved PAM Self-Hosted Components A secure server used to store privileged account information. Secure Digital Vault Based on a hardened Windows server platform. Password Vault Web The web interface for users to gain access to privileged account information. Access (PVWA) Used by Vault administrators to configure policies. Central Policy Manager Performs the password changes on devices. (CPM) Scans the network for privileged accounts. Privileged Session Isolates and monitors privileged account activity. Manager (PSM) Records privileged account sessions. Privilege Threat Monitors and detects malicious privileged account behavior. Analytics (PTA) © 2023 CyberArk Software Ltd. All rights reserved CyberArk’s Scalable Architecture Auditors PVWA PTA CPM PSM IT Vault (HA Cluster) IT Environment Main Data Center - US Auditors/IT Auditors/IT IT Environment IT Environment London Hong Kong DR Site © 2023 CyberArk Software Ltd. All rights reserved Component Local Environment In this section we will look at the main services, configuration files, and logs for each of the following components: Vault CPM PVWA PSM © 2023 CyberArk Software Ltd. All rights reserved Inside the Vault © 2023 CyberArk Software Ltd. All rights reserved Vault Services Services Post Installation and Hardening Services before Vault installation Total number of previously running services has been reduced as part of the hardening process Vault installation has added 6 new services © 2023 CyberArk Software Ltd. All rights reserved Vault Firewall Firewall before Vault installation Firewall Post Hardening All Firewall Rules that do not relate to CyberArk have been deleted, both inbound and outbound. © 2023 CyberArk Software Ltd. All rights reserved Vault Main Configuration Files Main configuration file of the Vault dbparm.ini Any change requires a restart of the Vault service passparm.ini Configure password policy for users of the Vault Configure Remote Control Agent in the Vault PARagent.ini SNMP Configuration tsparm.ini Configure the physical disks used to store Vault data © 2023 CyberArk Software Ltd. All rights reserved dbparm.ini dbparm.ini: Current Vault configuration file, contains parameters for Log Level, Server Key, Syslog, Timeouts, Recovery Key, etc. DBPARM.sample.ini: Contains all the possible configuration options. Full info on these parameters is contained in the PAM documentation. dbparm.ini.good: Contains the last known working configuration of the dbparm.ini file. Created automatically when the Vault server starts up. © 2023 CyberArk Software Ltd. All rights reserved Vault Log Files Italog.log Main log file of the Vault server. Trace file of the Vault. Trace.d0 It is detailed according to the debug level configured in the dbparm.ini. © 2023 CyberArk Software Ltd. All rights reserved Inside the PVWA © 2023 CyberArk Software Ltd. All rights reserved PVWA Service IIS Services As the PVWA is a web application running on IIS, you can control it through the IIS Manager interface or use the command line by running: iisreset /restart or iisreset /status to check status of website © 2023 CyberArk Software Ltd. All rights reserved PVWA Directories IIS Folder PVWA application files are located at: C:\Cyberark\Password Vault Web Access\ Web page: IIS Virtual Folder - PasswordVault © 2023 CyberArk Software Ltd. All rights reserved PVWA Log Location Default log file location: %windir%\temp\PVWA\. Can be changed by going to the PasswordVault folder under IIS, opening the file web.config, and modifying the "LogFolder" parameter © 2023 CyberArk Software Ltd. All rights reserved Inside the CPM © 2023 CyberArk Software Ltd. All rights reserved CPM Services The CPM server has two main services: The CyberArk Central Policy Manager Scanner is the scanner for the Accounts Feed workflow. The CyberArk Password Manager service is a batch processor that connects to the Vault looking for work to do and kicks off the necessary processes to complete that work. © 2023 CyberArk Software Ltd. All rights reserved CPM Directories bin – Contains all the files required to run the CPM and the change password processes on target machines Logs – Contains CPM activity log files tmp – Contains files that are used by the CPM for internal processing Vault – Contains the configuration that tells the CPM where to find the vault and how to connect © 2023 CyberArk Software Ltd. All rights reserved Log Files pm.log – contains all the log messages, including general and informative Activity Logs messages, errors, and warnings. (Logs folder) pm_error.log – contains only warning and error messages. Generated by the CPM’s password generation plug-ins when an error occurs Third-party Log Files Name of the log file: (Logs\ThirdParty folder) ---.log E.g., Operating System-UnixSSH-1.1.1.250-Root.log After a log file has been uploaded into the Safe, it is renamed and moved History Log Files into the History subfolder. (Logs\History folder) The file is marked with a time stamp and renamed as follows: (-).log © 2023 CyberArk Software Ltd. All rights reserved Inside the PSM © 2023 CyberArk Software Ltd. All rights reserved The PSM Service © 2023 CyberArk Software Ltd. All rights reserved PSM Directories In the PSM directory you'll find all the configuration files, logs, and connectors that allow end users to connect to target systems. Some key files are: Components Logs Recordings Temp Vault Provides CAPSM.exe Stores Contains thethe files session PSM main– The that are with PSM activity PSM recordings used the configuration logbyfiles the service files temporarily PSM information and executable. for internal all until required the executable they processing. to are loguploaded into filesthe to Vault required the Vault.toDuring run the Basic_psm.ini installation, –PSM The main the service user is given write PSM configuration file that permissions on this folder. contains the information required to start the PSM (cred file locations, Safe names). © 2023 CyberArk Software Ltd. All rights reserved PSM Logs All activities that are carried out by the PSM are written to log files and stored in the Log subfolder of the PSM installation folder PSMConsole.log Contains informational messages and errors that refer to PSM function. Contains errors and trace messages related to the PSM Recorder that.Recorder.log can be used for troubleshooting with session video recordings. The types of messages that are included depend on the debug levels specified in the Recorder settings of the PSM configuration...log can be used for troubleshooting. © 2023 CyberArk Software Ltd. All rights reserved PSMConnect and PSMAdminConnect Users PSMConnect and PSMAdminConnect are local users on the PSM server. PSMAdminConnect is used by Auditors when connecting via RDP to the PSM to monitor PSMConnect is used when an other users’ RDP connections. end user launches a connection to a target system via PSM. © 2023 CyberArk Software Ltd. All rights reserved PSMConnect and PSMAdminConnect The credentials for the PSMConnect and PSMAdminConnect users are stored as accounts in the Vault and should be managed in the same way any other account. © 2023 CyberArk Software Ltd. All rights reserved PSM Shadow Users When a Vault user launches a session via the PSM for a non- RDP connection (e.g., SSH) for the first time, a shadow user is created for the user on the PSM server. This shadow user launches the application needed for the connection (Putty in the case of an SSH connection). The credentials for these users are reset with every connection. © 2023 CyberArk Software Ltd. All rights reserved PSM Users Summary RDP file PuTTy PVWA ssh root@target-lin RDP using PSMConnect ShadowUser Carlos Carlos Linux Administrator Cindy Auditor TARGET-LIN PSM RDP using PSMAdminConnect PSMGW VAULT © 2023 CyberArk Software Ltd. All rights reserved Internal Safes and Users In this section we will look at the Internal safes and users created in the Vault for each component: Vault CPM PVWA PSM © 2023 CyberArk Software Ltd. All rights reserved Vault Internal Safes The three internal safes created during the Vault installation are: Notification Engine: used by the ENE service System: contains the file links for dbparm.ini, etc. VaultInternal: contains configuration data for CyberArk LDAP integration © 2023 CyberArk Software Ltd. All rights reserved The System Safe The Vault’s main configuration files and logs can be accessed in the System Safe from remote stations using the PrivateArk Client A new License.xml file can be copied into this Safe to update the license without the need to restart the Vault service © 2023 CyberArk Software Ltd. All rights reserved CPM Internal Safes The installation of the first CPM will create 8 Safes: PasswordManager PasswordManager_Accounts PasswordManager_ADInternal PasswordManager_info PasswordManager_Pending PasswordManager_workspace PasswordManagerShared PasswordManagerTemp Additional CPMs will share some Safes and create some additional new ones. © 2023 CyberArk Software Ltd. All rights reserved CPM Vault User Tools > Administrative Tools > Users and Groups By default, the first CPM user’s name is PasswordManager When creating a new Safe through the PVWA, the CPM user is automatically added to the Safe © 2023 CyberArk Software Ltd. All rights reserved PVWA Safes PVWAConfig – configuration settings for PVWA PVWAPrivateUserPrefs – user preference settings Note: The above two safes should not be accessed directly PVWAPublicData – contains the help documents that can be accessed in the PVWA PVWAReports – completed reports PVWATaskDefinitions – report definitions PVWATicketingSystem – information on integrations with third-party ticketing systems PVWAUserPrefs – Changes to individual user preferences © 2023 CyberArk Software Ltd. All rights reserved PVWA Vault Users and Groups Tools->Administrative Tools- >Users and Groups PVWAAppUser is used by the Password Vault Web Access for internal processing PVWAGWUser is the gateway user through which other users will access the Vault © 2023 CyberArk Software Ltd. All rights reserved PSM Safes PSM – contains the password objects for PSMConnect and PSMAdminConnect. PSMLiveSessions – allows users to monitor live sessions PSMNotifications – allows users to terminate, suspend, or resume sessions. PSMRecordings – default safe for storing recordings. PSM Sessions – allows users to launch sessions via PSM PSMUniversalConnectors – used in auto deployment for PSM connectors to multiple PSMs. PSMUnmanagedSessions – allows users to monitor live Ad-hoc sessions © 2023 CyberArk Software Ltd. All rights reserved PSM Vault Users PSMApp_ Used by the PSM for internal processing The credential file for this user is stored on the PSM server in a file named psmapp.cred This user is added automatically to the PSMAppUsers group PSMGW_ This is the Gateway user through which the PSM will access the Vault to retrieve the target machine password The credential file for this user is stored on the PSM server in a file named psmgw.cred This user is added automatically to PVWAGWAccounts group. Being a member of this group enables this user to access all password Safes © 2023 CyberArk Software Ltd. All rights reserved PSM Vault Groups PSMAppUsers This group is used to retrieve configuration data from the Vault, create Recording Safes, upload recordings, and perform other PSM activities PSMLiveSession Terminators Members of this group can terminate, suspend, and resume live sessions PSMMaster This group manages the Safes where recordings are stored. It is added to the Recordings Safes with all authorizations © 2023 CyberArk Software Ltd. All rights reserved Internal Communication In this section we will look at how Components communicate with the Vault and each other: Direct communication with the Vault Communication with the Vault using REST/API © 2023 CyberArk Software Ltd. All rights reserved Direct Communication With the Vault © 2023 CyberArk Software Ltd. All rights reserved Connecting to the Vault Privileged Session Components communicate Manager with the Vault using the Password Vault CyberArk proprietary protocol Web Access Central Policy on port 1858 Manager Components must first Replicate authenticate to the Vault each time they are started Vault Each Component has a User ID and password stored in a Unix/Windows PrivateArk Client “credential file” Application Providers Privileged Threat Analytics © 2023 CyberArk Software Ltd. All rights reserved CPM Example Vault Address and Credentials Components communicate with the Vault using the following configuration files: ⎼ Vault.ini ⎼ Cred File The Vault.ini file contains the Vault address and port The cred file contains the user name and a hash of the password used to authenticate to the Vault © 2023 CyberArk Software Ltd. All rights reserved CPM Example Vault Credential Files When the CPM authenticates to the Vault, it uses the CPM Server credentials stored in the file user.ini (the cred file): PasswordManager/****** ⎼ The CPM username CPM Service ⎼ A hash of the password After the CPM successfully authenticates, the password in the Vault and cred file are Cred File rotated © 2023 CyberArk Software Ltd. All rights reserved Communicating With the Vault Via REST © 2023 CyberArk Software Ltd. All rights reserved Component Internal Communication Historically, components communicated directly with the Vault using the Managed Target Central Policy Accounts and Servers 1858 CyberArk proprietary Manager protocol (over port 1858). Vault 1858 Password Vault Web Access HTTPS Vault Administrators © 2023 CyberArk Software Ltd. All rights reserved Component Communication – REST First As we move towards “REST first”, new functionalities use REST Managed Target Central Policy Accounts and Servers Manager instead of the CyberArk proprietary protocol. Components communicate REST with the PVWA over REST, Vault and the PVWA performs 1858 the actions on the Vault. Password Vault Web Access HTTPS Vault administrators © 2023 CyberArk Software Ltd. All rights reserved API Address and Keys When using REST to communicate with the Vault, components use the following configuration files: ⎼ Vault.ini ⎼ ApiKey file The Vault.ini file contains the API address (PVWA) The ApiKey file contains the private key used to authenticate to the Vault via REST © 2023 CyberArk Software Ltd. All rights reserved CPM Example API Keys An asymmetric key pair is used to provide a secure way CPM Server for automated API calls and scripts, as well as CyberArk clients, to communicate with PasswordManager/****** the Vault. Password Vault CPM Service The private key is stored Web Access locally for use by the script or CyberArk client, while the public key is stored in the Vault. ApiKey File Both keys are associated with a username that was previously created in the Vault and used for API authentication. © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we discussed: The system architecture The local services, configuration files, and logs for the PAM Self-Hosted components The built-in Safes and users of the various components The internal integration and information flow among the PAM Self-Hosted components © 2023 CyberArk Software Ltd. All rights reserved Documentation Additional Resources CyberArk Digital Vault Security Standards Security Fundamentals for PAM
