CyberArk University

Integrations

1
Objectives

By the end of this session you will be able to:

▪ Describe ho Identity & Authentication functions in CyberArk.
▪ Integrate CyberaArk with the following external systems:
￭ LDAP Integration
￭ SMTP Integration
￭ SNMP Integration
￭ SIEM Integration
￭ NTP Integration

2
LDAP Integration

3
Overview

▪ LDAP integration allows an organization to automate user provisioning and

to separate Vault Admins from I&A functions.
▪ Users are transparently provisioned in the Vault with their user information
(full name; email address), and their security information (such as groups).

4
LDAP Integration (1)

▪ Prepare the LDAP server:

￭ Create an LDAP Bind account with READ ONLY access to the directory.
• Have the User Name, Password, and DN available.
￭ Create three LDAP groups that will be used for Vault access.

LDAP Group Vault Group

CyberArk Administrators Vault Admins
CyberArk Auditors Auditors
CyberArk Users No mapping to any Vault
group

5
LDAP Integration (2)

▪ Configure the LDAP connection to the external directory.

6
LDAP Integration (3)

▪ Configure the LDAP connection to the external directory.

￭ Test the connection using the Test button.

7
LDAP Integration (4)

▪ Configure the LDAP connection to the external directory.

▪ Configure typical CyberArk roles based predefined directory maps
(optional).

8
Directory Mapping

▪ A Directory Map determines whether a User Account or Group may be

created in the Vault, and the roles they will have.
• User Mapping – allows for authentication and defines user’s attributes,
such as Vault Authorizations and Location.
• Group Mapping – makes LDAP groups searchable from within CyberArk,
allowing mapped groups to be granted safe authorizations and to be nested
within built-in CyberArk groups.

9
Predefined Directory Maps

▪ When the first directory is configured using the setup wizard, predefined
directory mappings are created automatically with standard Vault
Authorizations and nested group settings for: CyberArk Users, Vault
Admins, and Auditors.
▪ You can use these directory maps immediately, modify them with relevant
mapping rules, or create new directory maps using the PrivateArk Client.

10
Vault Admins (1)

▪ After completing the configuration using the Wizard:

￭ the AD group CyberArk Vault Admins will be created in the Vault and nested
under the internal Vault Admins group.

11
Vault Admins (2)

▪ After completing the configuration using the Wizard:

￭ the AD group CyberArk Vault Admins will be created in the Vault and nested
under the internal Vault Admins group.
￭ LDAP users who are members of CyberArk Vault Admins will be able to
authenticate to CyberArk using LDAP authentication.

12
Vault Admins (3)

▪ After completing the configuration using the Wizard:

￭ the AD group CyberArk Vault Admins will be created in the Vault and nested
under the internal Vault Admins group.
￭ LDAP users who are members of CyberArk Vault Admins will be able to
authenticate to CyberArk using LDAP authentication.
￭ LDAP users who are members of CyberArk Vault Admins will receive all vault
authorizations based on the User Template in the directory mapping.

13
Vault Admins (4)

▪ After completing the configuration using the Wizard:

￭ the AD group CyberArk Vault Admins will be created in the Vault and nested
under the internal Vault Admins group.
￭ LDAP users who are members of CyberArk Vault Admins will be able to
authenticate to CyberArk using LDAP authentication.
￭ LDAP users who are members of CyberArk Vault Admins will receive all vault
authorizations based on the User Template in the directory mapping.
￭ LDAP users who are members of CyberArk Vault Admins will will be able to see
the ADMINISTRATION Tab in the PVWA.

14
 Transparent User Management

▪ When users authenticate through LDAP for the first time they are
provisioned automatically in the Vault.
▪ LDAP Users and Groups that have been created in the Vault are marked
with the LDAP User or Groups icon.
▪ If you delete a user within CyberArk, it will be automatically re-created upon
login if it still exists within AD.

To permanently delete a user,

it would have to be removed
from all groups that have a
directory mapping or deleted
from the external directory

15
LDAP Synchronization

▪ The Vault can be synchronized with the External Directories so that changes
made to External User properties can be updated automatically in the Vault.
▪ The relevant parameters are configured in the dbparm.ini file.

AutoSyncExternalObjects=Yes,24,1,5

Whether or not The hours

The number of
to sync with the during which
hours in one
External the sync will
period cycle
Directory take place

16
SMTP Integration

17
SMTP Integration

Email integration is critical for monitoring vault activity and facilitating workflow
processes:

￭ Dual control messages and notifications

￭ Password verification errors

￭ Password change failures

￭ Advanced notice for password change

• Messages triggered as heads-up notification before passwords expire.

￭ New/Modified Password
• Will trigger messages to Safe Owners upon arrival of newly created or
updated Passwords.

18
 Notification Flow Examples

IT user requests access to

account using PVWA

Vault
SMTP
Server

Port: 25
ENE

CPM fails to
verify password

19
SMTP Setup

Email integration Prerequisites:

▪ Have the IP address of the SMTP Gateway Available.
▪ Ensure that any necessary firewall rules or ACLs allow communications from
the Vault Servers to the SMTP Gateway.

20
SMTP Setup

21
SMTP Setup

22
SMTP Setup

23
Confirmation Email

24
Monitoring the ENE

▪ Log Files
￭ Stored on the Vault Server under
Program Files\PrivateArk\Server\ENE\Logs
￭ ENEConsole.log – System Status Log

￭ ENETrace.log – Messages and errors about activities of the ENE.

• Amount of trace information detail is controlled in the

EventNotificationEngine.ini

▪ Event Viewer
￭ Service level events and errors
▪ Remote Control Client

25
SNMP Integration

26
Purpose

▪ We recommend not installing any third-party monitoring agents. CyberArk

can send status information to your monitoring solution using SNMP.
▪ SNMP traps can be sent from the Vault to monitoring solutions using the
Remote Control Agent

Prerequisites:
▪ Configure Remote Control Agent
▪ Have IP Addresses of all servers that can accept SNMP traps available.
▪ Have Community String available.

27
 SNMP Setup

▪ paragent.ini defines:
￭ Information to be send via SNMP traps
￭ Location of SNMP trap receiver

[MAIN]
RemoteStationIPAddress=10.0.0.3
UserCredentialsPath="C:\Program Files (x86)\PrivateArk\Server\ParAgent.pass"
RemoteAdminPort=9022
ExtensionComponentList="C:\Program Files (x86)\PrivateArk\Server\PARVaultAgent.dll,C:\Program
Files (x86)\PrivateArk\Server\PARENEAgent.dll"
AllowedMonitoredServices="PrivateArk Database,CyberArk Logic Container"
SNMPTrapsThresholdCPU=200,90,3,30,YES
SNMPTrapsThresholdPhysicalMemory=200,90,3,30,YES
SNMPTrapsThresholdSwapMemory=200,90,3,30,YES
SNMPTrapsThresholdDiskUsage=200,85,3,30,YES
SNMPTrapsThresholdServiceStatus=200,3,30,YES
LogMessagesFilterRegexp=.*
ExludedLogMessagesFilterRegexp=(ITA|PARE|PADR|CAS).*I
SNMPHostIP=10.0.1.1
SNMPTrapPort=162
SNMPCommunity="public"

28
SNMP Setup

▪ Restart Remote Control Agent

29
SIEM Integration

30
SIEM Integration

SIEM Integration is a powerful way to correlate Privileged Account Usage

with Privileged Account Activity.
▪ Have IP addresses of all servers that can accept SYSLOG information
available.
▪ Have a resource from the team responsible for SYSLOG servers
available.

31
SIEM Setup
▪ We will be sending Audit log information to the SIEM.
▪ Rename one of the sample translator files
￭ Translator files translate CyberArk logging format into the SIEM logging
format
￭ These five files will cover the most commonly deployed SIEM systems

32
SIEM Setup

▪ Add SYSLOG configuration to the dbparm.ini file.

[MAIN]
TasksCount=20
DateFormat=DD.MM.YY
TimeFormat=HH:MM:SS
ResidentDelay=10
BasePort=1858
LogRetention=7
LockTimeOut=30
DaysForAutoClear=30
DaysForPicturesDistribution=Never
ClockSyncTolerance=600
…
AllowNonStandardFWAddresses=[10.0.0.3],Yes,3389:outbound/tcp,3389:inbound/tcp
ComponentNotificationThreshold=PIMProvider,Yes,30,1440;AppProvider,Yes,30,1440;OPMProvider,Yes,30,1440;CPM,Yes
,720,1440;PVWA,Yes,90,1440;PSM,Yes,30,1440;DCAUser,Yes,60,2880;SFE,Yes,10,2880;FTP,Yes,60,2880;ENE,Yes,60,360
[BACKUP]
BackupKey=C:\PrivateArk\Keys\Backup.key
[CRYPTO]
SymCipherAlg=AES-256
ASymCipherAlg=RSA-2048
[SYSLOG]
SyslogTranslatorFile=Syslog\ArcSight.xsl
SyslogServerIP=10.0.255.222
SyslogServerPort=514
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=0-999
SyslogSendBOMPrefix=NO

33
SIEM Setup

▪ Restart PrivateArk Server Service

34
NTP Integration

35
NTP Integration

NTP integration can be important in environments where CyberArk is one of

many system producing security logs, so that times between all security
devices will correlate.

Prerequisites:
▪ IP Address of the Network Time Server.

36
NTP Integration

▪ Create a firewall exception in DBParm.ini to allow the vault to communicate

on the NTP port (123).

[NTP]
AllowNonStandardFWAddresses=[10.0.1.1],Yes,123:outbound/udp,123:inbound/udp

37
NTP Integration

▪ Set a special time skew to prevent very large changes to the system clock.

HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Period=65532

38
Summary

39
Summary

This session has covered:

▪ LDAP Integration
▪ SMTP Integration
▪ SNMP Integration
▪ SIEM Integration
▪ NTP Integration

40
Thank You

41