Scribd
Upload
1K views45 pages

CyberArk - PrivilegeCloud - Implementation Document

This document provides instructions for implementing CyberArk Privilege Cloud. It covers setting passwords, running prerequisite scripts, deploying management agents and components, installing identity connectors, and configuring authentication. The document also includes testing credential and session management.

Uploaded by

ramu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views45 pages

CyberArk - PrivilegeCloud - Implementation Document

This document provides instructions for implementing CyberArk Privilege Cloud. It covers setting passwords, running prerequisite scripts, deploying management agents and components, installing identity connectors, and configuring authentication. The document also includes testing credential and session management.

Uploaded by

ramu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 45

CyberArk Privilege Cloud

Implementation
and Configuration
Document for
Nerolac

page 1
Contents
Contents
Contents .......................................................................................................................................................................2
Set the password for CyberArk Cloud admin user........................................................................................... 3
Set the password for the Identity installer user.............................................................................................. 5
Run the prerequisites script .......................................................................................................................... 8
Deploy the Management Agent.................................................................................................................. 15
Deploy the Privilege Cloud Components – CPM and PSM............................................................................. 18
Selecting which Components to install .....................................................................................................................................................................18
Confirm the CPM and PSM were successfully installed ..............................................................................................................................................22
 CyberArk Central Policy Manager Scanner ................................................................................................................................................22
 CyberArk Password Manager ......................................................................................................................................................................22

Deploy the Identity Connector .................................................................................................................................... 24


 Download and extraction ............................................................................................................................................................................24
 Installation ....................................................................................................................................................................................................24
 Configuration ................................................................................................................................................................................................24
Installation ................................................................................................................................................ 25
Configuration ............................................................................................................................................ 28
Configure Identity MFA ............................................................................................................................................... 35
Verify all Components are connected to the Vault ...................................................................................................... 39
Assign an administrator role ...................................................................................................................... 39
Login to the Privilege Cloud Web Portal ...................................................................................................... 41
https://nerolac.cyberark.cloud/privilegecloud .......................................................................................................................................................41

Test Credential and Session Management .................................................................................................................. 43


Test Credential Management (CPM) ........................................................................................................... 43
The End ...................................................................................................................................................................... 45

page 2
CyberArk Privilege Cloud Implementation Document

Set the password for CyberArk Cloud admin user


1. Open Chrome (you have a shortcut in the taskbar), then copy and paste the URL you
received in the mail from your Notepad file. It should look something like:
https://nerolac.cyberark.cloud. The region – EMEA, USCT, or APJ – will depend
on where you are taking the course. The number is assigned arbitrarily.

2. Enter your CyberArk Identity Security Platform username and click Next. This
information is in the email you received and it should be in your tenant_info.txt file.

3. You will next be prompted for a password, which we don’t have, so click on Forgot your
password? to initiate a password reset.

page 3
CyberArk Privilege Cloud Implementation Document

4. Select the option to authenticate by email and click Send me an email.

5. You will receive an email with an eight-digit code, which you can then enter into the
field and then click Authenticate.

Note: Rather than entering the code, you can choose to click on the link Continue with
Authentication, which will also allow you to authenticate.

Note: Make sure that your password meets the requirements, which are displayed below
the Next button. Characters NOT to be used when changing password: \&"|<>$ and
space.

page 4
CyberArk Privilege Cloud Implementation Document

Set the password for the Identity installer user

In this section, we will set a new password for the built-in Identity user account –
installeruser – that we will use during the different installation processes we will be
running in this course.

IMPORTANT! For security reasons, the installeruser password is configured to expire


after 24 hours unless it is reset.

Once again, it is recommended that you keep a copy of this password in your
tenant_info.txt file for convenience.
1. You should be logged into Windows on VM Connector Server as Admin / Cyberark1.

2. Open Chrome (you have a shortcut in the taskbar).

3. Navigate to the CyberArk Identity Security Platform URL that was provided to youin
the email containing the privileged cloud tenant details and log in using the
username and password we set previously and then click on Go to Identity
Administration.

page 5
CyberArk Privilege Cloud Implementation Document

The first time you connect, you will be presented with an introduction screen. Take the
time to review the material, clicking Next to move through the sections. When you are
finished, you can close the window.

4. In Identity Administration, in the left pane, under Core Services, click Users.
Then on the left, click the All Users or All Service Users set, and then click the
installeruser in the list to view the user details.

5. Note the full name of the Installer user. Copy this username to your tenant_info.txt
file as you will need it at a later stage. Click on Back to Users at the top of the
window.

page 6
CyberArk Privilege Cloud Implementation Document

6. Check the box for the installeruser and at the top of the window, click Actions > Set
Password.

7. In the Set User Password dialog box, enter a new password and click Save. Your
password should include alphanumeric characters only and should not include
special characters. Once again, type this password into your Tenant_info.txt file,
save it, and then copy and paste it into this window.

Note: Do NOT use the following characters when changing the password: \/<>{}''&"$*@`|
and space) (Password example: C-Uuni1234)

page 7
CyberArk Privilege Cloud Implementation Document

Run the prerequisites script


The final step in our preparations will be to run a script that will check that all the
necessary prerequisites are in place for installing the Privilege Cloud Connector and, if
they are not, help us to resolve any issues.

1. If you are not already, login to VM Connector Server server as Admin (password is
Cyberark1).

2. Navigate to C:\CyberArkFiles\Tools\ConnectorCheckPrerequisites_PrivilegeCloud.

3. Run PowerShell as an administrator, which you can do from the Windows file
explorer by going to File -> Open Windows Powershell -> Open Windows
Powershell as administrator. This has the advantage of opening the terminal in the
current directory, which is where the script we want to run is sitting.

page 8
CyberArk Privilege Cloud Implementation Document

Note: The prerequisites script was downloaded to your environment ahead of time for
convenience. In production you will need to download this script from the CyberArk
Marketplace. The prerequisites script is continuously updated. This may cause the
output you receive in the lab to be slightly different than in the screenshot provided
in this guide. If the script is performing some updates during the first run and ended,
please run the script again after the update is completed successfully.

Note: Visit the online documentation to learn more about the tests performed by the
prerequisites script.

4. Now run script with this command:

.\ConnectorCheckPrerequisites_PrivilegeCloud.ps1

page 9
CyberArk Privilege Cloud Implementation Document

The script will perform any necessary updates and then ask you to relaunch the
script. Use the Up arrow on your keyboard to relaunch the script.

5. You will then be prompted for information about your CPC tenant, which you can find
in your tenant info file. You will be prompted for:

 Portal URL https://nerolac.cyberark.cloud

 Customer ID (Tenant ID)

* Remember: This URL will depend on your environment.

page 10
CyberArk Privilege Cloud Implementation Document

6. After performing a number of checks, you will be prompted to deploy RDS. Click
Yes.

7. You will be prompted to restart the server. Make sure you save any changes to your
tenant info file before restarting.

8. Once Windows has restarted, log back in as Admin with the password Cyberark1.
The script will resume automatically.

page 11
CyberArk Privilege Cloud Implementation Document

9. You will be asked to run the CPM Install Connection test. Select Yes.

10. You will be prompted to enter your InstallerUser credentials.

page 12
CyberArk Privilege Cloud Implementation Document

11. At the end of the test, you will be prompted to continue.

12. If you scroll back up to the prerequisites checks, you will see that the process
encountered an error relating to the Secondary Logon service. This is used by the
Shadow users to invoke Apps with Apps.

13. We need to resolve this issue, which we can do by by re-running the prerequisites
script with the Troubleshooting flag.

14. Navigate to the folder


C:\CyberArkFiles\Tools\ConnectorCheckPrerequisites_PrivilegeCloud.

page 13
CyberArk Privilege Cloud Implementation Document

15. Run PowerShell as an administrator, which you can do from the Windows file
explorer by going to File -> Open Windows Powershell -> Open Windows
Powershell as administrator

16. Now run script with this command:

.\ConnectorCheckPrerequisites_PrivilegeCloud.ps1 -Troubleshooting

17. Enable the Secondary Logon service by entering 2.

18. The Secondary Logon service is now enabled.

19. When this step is finished, enter q to return to the previous menu (you may have to
enter q twice to quit).

20. And that completes our prerequisites checks. Log files can be found in the folder
where the script resides:

page 14
CyberArk Privilege Cloud Implementation Document

Deploy Components Using Connector Management

In this section we will deploy CyberArk Privilege Cloud components to our Windows server
(connector1) using the Connector Management interface. We will:

 Deploy the Management Agent


 Deploy the CPM and PSM

Deploy the Management Agent

In this section, we will deploy the Connector Management Agent. This will do two things:

 It will install the Management Agent on the target server, which in our
case isconnector1.
 It will also register the Componet server in the Connector Management
interface so that we will be able to deploy the CyberArk Privilege Cloud
components to that server.

1. Navigate to the Privilege Cloud Web Portal URL that was provided to you in the
email containing the privileged cloud tenant details and login using your Privilege
Cloud username.

2. Click on the icon with the circle and nine dots. Click on Connector Management

3. No connectors are currently installed. Click on Add a Connector.

page 15
CyberArk Privilege Cloud Implementation Document

4. This will generate a unique PowerShell script with a time-limited security token (valid
for 15 minutes). We need to copy this script into PowerShell, so click on Copy to
clipboard.

5. Open PowerShell as Administrator on the machine on which you intend to install the
connector (in this case Connector Server) and paste the script. Then press ENTER.

page 16
CyberArk Privilege Cloud Implementation Document

6. The script will fetch the resources, install the Connector Management Agent on the
server, and register it (as Connector1) in the CyberArk Privilege Cloud Connector
Management interface.

After a minute or so, the Connector Management interface will display the new Connector.

page 17
CyberArk Privilege Cloud Implementation Document

7. Click on Connector1 to view what components have been deployed. For the
moment, only the Management Agent is installed.

Deploy the Privilege Cloud Components – CPM and PSM

Now that our Connector Manager can communicate with the Privilege Cloud Vault, we will
deploy the Privilege Cloud Component services to the Connector Server server. This will
deploy and configure the CPM and the PSM on the current machine.

The process is performed using the Connector Manager command-line wizard.

Selecting which Components to install

1. Navigate to the Privilege Cloud Web Portal URL that was provided to you in the
email containing the privileged cloud tenant details.

2. Login using your Privilege Cloud credentials.

3. Click on the Identity Administration services icon (the circle with nine dots as
shown below) and click on Connector Management

page 18
CyberArk Privilege Cloud Implementation Document

4. Select Connector 1.

5. Click on Add New Component.

We can now select which Components we want to install. In this case we will install both the
CPM and the PSM. Click Next.

page 19
CyberArk Privilege Cloud Implementation Document

6. We will do a production Production deployment. The POC install implements less


hardening. This is fine for POCs but not for production environments. Enter your
InstallerUser username and password and then scroll down.

page 20
CyberArk Privilege Cloud Implementation Document

Locate the PSM section. Here we will enter the credentials of a user who has the authorization
to install and configure elements on the connector1 server. We will use the domain user Admin.
Enter nerolac.com for the Domain. Enter Admin for the user name and Cyberark1 for the
password. When you are ready, click Next.

7. Since you already have run the prerequisites script, you can click on Install.

page 21
CyberArk Privilege Cloud Implementation Document

8. The components will now we installed. The installation progress will be displayed.
This will take a few minutes.

9. The installation is complete when all four Components display a green checkmark.

10. Restart the server.

Confirm the CPM and PSM were successfully installed

In this section we will make sure the installation of the CPM and PSM completed
successfully.

1. After the Connector Server server restarts, login as Admin / Cyberark1.

2. Open the Services applet (you have a shortcut in the taskbar).

3. Verify the following four services are installed and are running:

 CyberArk Central Policy Manager Scanner


 CyberArk Management Agent
 CyberArk Password Manager
 Cyber-Ark Privileged Session Manager

page 22
CyberArk Privilege Cloud Implementation Document

Note: We will test credential and session management tasks in a later stage.
4. Close the Services applet.

page 23
CyberArk Privilege Cloud Implementation Document

Deploy the Identity Connector


The CyberArk Privilege Cloud Identity Connector enables the current server –
Component Server – to communicate with Privilege Cloud Vault. Its deployment is
divided intothree phases:

 Download and extraction


 Installation
 Configuration

Download and Extraction

1. Navigate to the Privilege Cloud Web Portal URL that was provided to you in the
email containing the privileged cloud tenant details.

2. Login using your Privilege Cloud username.

3. Go to Identity Administration.

4. Click on Settings > Network in the menu bar on the left and click on Add CyberArk
Identity Connector.

page 24
CyberArk Privilege Cloud Implementation Document

5. Select Download. Once the file is downloaded, you can close this dialog.

6. For the sake of consistency, move the Zip file to c:\CyberArkFiles\InstallationFiles


and then extract the files to that location.

Installation

Now we will begin the actual installation of the Identity Connector.

page 25
CyberArk Privilege Cloud Implementation Document

1. In the extracted directory, right-click on the executable and select Run as


administrator.

2. Then click Yes at the UAC dialog to accept to run the software.

3. Click Next to launch the installation wizard.

page 26
CyberArk Privilege Cloud Implementation Document

4. Tick the box to accept the terms of the license agreement and then click Next.

5. Click Next to install all tools.

page 27
CyberArk Privilege Cloud Implementation Document

6. Click Install.

7. At the end of the installation, click Finish. This will end the installation phase of
CyberArk Identity Connector deployment and will immediately launch the
Connector Configuration Wizard, which we will see in the next section.

Configuration

After installation, the Connector Configuration Wizard should launch automatically. If it


does not, you can find it in the Start Menu.

page 28
CyberArk Privilege Cloud Implementation Document

1. On the welcome dialog, click Next.

2. Enter the full InstallerUser username and its password and click Next.

Note: It does ask for the “admin user”, but what it needs here is the installer user.

3. We will not be using a web proxy, so just click Next.

page 29
CyberArk Privilege Cloud Implementation Document

4. Uncheck the box for Activate Idaptive Pages and click Next.

4. In this step, we will allow the Identity Connector access to the Deleted Objects
container. Select the domain nerolac.com and click Edit.

page 30
CyberArk Privilege Cloud Implementation Document

5. Because we are logged in as Admin, who is a domain admin, we can use the
current credentials. Click OK.

6. Click Yes to change the container ownership and then click Next.

page 31
CyberArk Privilege Cloud Implementation Document

7. The Connector Configuration Wizard will then execute a number of checks, which
should all succeed. When finished, click Next.

8. The Connector service will then start up and you will see Connector setup is
complete. Click Finish to exit the wizard.

page 32
CyberArk Privilege Cloud Implementation Document

9. As a final step, we will verify that the changes we have made locally in environment
have been reflected in the CyberArk Identity configuration in the Cloud.The last
connection result should show as successful.

page 33
CyberArk Privilege Cloud Implementation Document

Note: You may receive a connection error at this point. Occasionally, the installation
process does not release the ports used during the installation process. A reboot
will correct this.

10. Now log in to the Identity Portal with your admin user, go to Identity
Administration | Settings | Network and confirm your directory forest and
connector hostname are present.

Restart the server.


11. Check that the new service is running. You should now have five CyberArk services
up and running.

page 34
CyberArk Privilege Cloud Implementation Document

Configure Identity MFA


In this section, we will create a profile for multi-factor authentication using a password and
an email notification as the two factors. We will then create a new, dedicated
authentication policy for CyberArk Identity and apply this profile to it. In this way, all
authentication to our CyberArk systems will require 2FA.

1. Login to Identity and go to Identity Administration > Settings > Authentication >
Authentication Profiles.

2. Click on Add Profile.

3 Name the new profile MFA Profile. Enable Password for Challenge 1 and Email
confirmation code for Challenge 2. Click OK when you are finished.

page 35
CyberArk Privilege Cloud Implementation Document

4. Now go to Core Services > Policies and click Add Policy Set.

5. Under Policy Settings, name the new Policy MFA Policy and check the button for
Specified Roles. This will allow you to add new roles to the policy. Click the Add
button.

page 36
CyberArk Privilege Cloud Implementation Document

6. Check the boxes for the four following Privilege Cloud built-in roles and click Add.

• Privilege Cloud Administrators


• Privilege Cloud Auditors
• Privilege Cloud Safe Managers
• Privilege Cloud Users

Tip: You can enter the string ‘privilege’ in the search field to reduce the number of
options.

page 37
CyberArk Privilege Cloud Implementation Document

Note: For each of these roles, there are three versions: the plain one (e.g. Privilege
Cloud Users), a Basic version, and a Lite version. Make sure you choose the plain
version, as shown in the image above.

Still under MFA Policy, select Authentication Policies tab and then CyberArk Identity.

7. Set Enable authentication policy controls to Yes.

8. Then change the Default Profile to MFA Profile. Make sure to click Save when you
are done.

page 38
CyberArk Privilege Cloud Implementation Document

Verify all Components are connected to the Vault


In this section, we will verify that all the components we installed are connected to the
Vault. To do this, we will:

 Assign an administrator role to our user in Identity Administration.


 Log in the Privilege Cloud Web Portal, which is the cloud equivalent of the PVWA. 

Assign an administrator role

We will first need to assign ourselves a role as an administrator in CyberArk Privilege


Cloud.

1. Log in to Identity Administration and go to Core Services > Roles.

page 39
CyberArk Privilege Cloud Implementation Document

2. Click on Privilege Cloud Administrators > Members and then click the Add button.

3. Search for your user, tick the box next to it, and then click the Add button.

page 40
CyberArk Privilege Cloud Implementation Document

4. You should see your user in the list of Members. Click the Save button to commit
the change.

5. You are now the administrator of your CyberArk Privilege Cloud.

Login to the Privilege Cloud Web Portal

1. Open a new tab in your browser and enter the address for your tenant:

https://nerolac.cyberark.cloud/privilegecloud

page 41
CyberArk Privilege Cloud Implementation Document

You should be re-directed to the Privilege Cloud Portal, which for those familiar with
CyberArk PAM Self-Hosted solution is essentially the PVWA.

2. Click on System Health and verify that you have 1 user instance for the CPM and 2
user instances for the PSM / PSM for SSH.

page 42
CyberArk Privilege Cloud Implementation Document

Test Credential and Session Management


In this section, we will test credential and session management for both Windows and
Linux target machines, and make sure our components are working as expected.

Note: The following exercises are based on topics covered in the PAM or Privilege Cloud
Administration courses, which are a prerequisite to this course.

Test Credential Management (CPM)

1. If you are not still connected, log in to Connector Server as Admin / Cyberark1.

2. Open Chrome and navigate to the Privilege Cloud portal URL assigned to you.

3. Login as the Privilege Cloud admin user.

4. Create a safe called TEST. We don’t need to assign any users to it, so just click the
Skip and create Safe button.

5. Onboard the following test accounts to the TEST safe:

Target Linux Target Windows

System Type *NIX Windows

Platform Unix via SSH Windows Server Local Accounts

Username root Administrator

Address

page 43
CyberArk Privilege Cloud Implementation Document

Target Linux Target Windows

Password Cyberark1 Cyberark1

6. Confirm the CPM can verify and change the target Linux and target Windows
privileged accounts.

page 44
CyberArk Privilege Cloud Implementation Document

The End
And that completes the installation and basic configuration of the CyberArk Privilege Cloud
solution integrated with the Identity Security Platform Shared Services.

page 45

You might also like