Scribd
Upload
27 views51 pages

04 - PAM I and C - Integrations

Uploaded by

ALMACHIUS RWERENGELA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views51 pages

04 - PAM I and C - Integrations

Uploaded by

ALMACHIUS RWERENGELA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 51

Vault Integrations

CyberArk University

© 2024 CyberArk Software Ltd. All rights reserved


Objectives Vault Integrations
By the end of this session you will be able to:
1. Describe the main purpose for Directory
Server
Security information and event
management (SIEM)
integrating CyberArk with other
enterprise software, namely: TCP389/636
UDP_514
• LDAP Network
Management
UDP_161/UDP_162 (SNMP)
• SMTP
• SNMP TCP_25/TCP_465
SMTP Mail
Gateway
• SIEM Production
Vault Server TCP_123
• NTP

2. Integrate CyberArk with other enterprise Network Time


Server
software

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Integration

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Integration
Purpose
• The Privileged Access Manager solution can
be configured to manage users transparently
through a centralized User database, such as
LDAP
• The Enterprise Password Vault is a full LDAP
(Lightweight Directory Access Protocol) client
and can communicate with LDAP-compliant
or compatible directory servers to obtain
User identification and security information
• LDAP Integration enables the automatic
provisioning of users and allows for the use
of LDAP groups providing Access Control to
safes

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Integration
Prerequisites
The customer must provide:

• An LDAP Bind account with READ ONLY


access to the directory.
⎼ Have the User Name, Password, and DN
available
• Four LDAP groups representing roles in the
Digital Vault
⎼ CyberArk Administrators
⎼ CyberArk Safe Managers
⎼ CyberArk Auditors
⎼ CyberArk Users

© 2024 CyberArk Software Ltd. All rights reserved


LDAP integration
Q&A
Q: How
Doescan
What CyberArk
do we
we take
secure
PAM
for this
granted
do Activewhen
directory
Integration?
servers
communications
and desktops
channel?
are AD integrated?
Using
No,
TimeCyberArk
digital certificates,
PAM doessecure
synchronization, we
not can
docommunications
AD
useintegration.
Secure
CyberArk
LDAP
channel(LDAP
PAMover
integrates
(Kerberos) SSL) and
with
between encrypt
LDAP the
desktop Directories,
and
such as controller
communications
domain Active Directory,
between SunOne
the
(directory Digital
Directory
server). Vault and
Server,
the Directory
There IBM
are Directory
Server.
other Server, etc.
examples.
With LDAP integration, when authenticating via
the PVWA, the Digital Vault server opens an
LDAP connection to the directory server and
passes the users credentials over clear text
LDAP protocol, by default (tcp_389)

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Integration – Prerequisites
LDAP/S is required to secure the communications channel between the Digital Vault
and the Directory Server.

• This ensures that all the traffic between the Domain Controller or LDAP authenticating Server
and the Vault is encrypted
• Install all relevant Root and Intermediate Certificates for the CA that issued the certificate on
the directory servers to the Vault Servers.
• Create a hosts file on the vault servers for host name resolution

TCP_443 TCP1858 TCP_636

Production Directory
PVWA
Vault Server Server

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Over SSL
• Import the CA Certificate that
signed the certificate used by the
External Directory into the Vault
server certificate store.
• Configure the DNS of the LDAP
host in the hosts file
• A Vault Firewall rule is not
required and will expose the vault
to unnecessary risk!
• The implementation and use of
secure protocols is an emphasized
area of study for all CyberArk
certifications!

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Setup
Wizard
• LDAP Integration is configured
easily in the PVWA
• The Vault can be configured to
integrate with multiple directories
easily by selecting the “New
Domain” link in the LDAP
Integration page of PVWA
• Only the Vault’s built-in
Administrator can configure
LDAP Integration.

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Setup Wizard:
Define Domain
• Enter the domain name

• Select “Use Secure connection


(SSL)” to encrypt authentication
traffic on the network

• Enter the Bind user name and


password

• Enter the Domain base context


using LDAP Notation

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Setup Wizard:
Create Directory
Mapping
• Select and assign external directory
groups to CyberArk internal roles

• All 4 default directory mappings


must be defined before proceeding

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Setup Wizard:
Summary
• Review the summary of the LDAP
Integration details

• Save the LDAP configuration and


sign in to the PVWA as an LDAP
user to confirm the integration

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Setup Wizard:
Classic
• The Classic LDAP Wizard can be
used to configure the Global
Catalog port (3268 and 3269) or
any other custom ports required

• Customization can also be


achieved via the LDAP Integration
link

© 2024 CyberArk Software Ltd. All rights reserved


Transparent Provisioning
• Using the PrivateArk Client, under Users and
Groups. you will see the white icons are used to
indicate which users are externally authenticated

• If you delete a user within CyberArk, it will be


automatically re-created upon login if it still exists
within AD and is still a member of one of the
groups defined in a Directory Mapping
⎼ As long as permissions are assigned via groups,
there is no real affect to the user
⎼ Assigning safe permissions to a specific individual,
if deleted that user will lose their permissions to the
safes where they were specifically assigned

• To permanently delete a user, it would have to be


removed from all groups that have a directory
mapping or deleted from the external directory

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Synchronization
• A process runs daily to
synchronize transparent user AutoSyncExternalObjects=Yes,24,1,5
attributes with the external
directory
• A user must be deleted from
the external directory, or the
user will not be removed from Whether or
The number The hours
the Vault not to sync
of hours in during which
with the
• In the DBParm.ini this one period the sync will
External
parameter determines cycle take place
Directory
synchronization with the
external directory.

© 2024 CyberArk Software Ltd. All rights reserved


LDAP Integration (Directory Mapping)

© 2024 CyberArk Software Ltd. All rights reserved


Directory Mapping Overview
User Mapping – allows for
authentication and defines ACTIVE DIRECTORY VAULT
user’s attributes, such as Vault
Authorizations and Location

Vault Authorizations
Group Mapping – makes User Mapping Add User
LDAP groups searchable from Add Safe
Etc…
within CyberArk and allows
mapped LDAP groups to be Safe Authorizations
granted Safe authorizations
Group Mapping
based upon group membership.

CyberArk Groups
Vault Admins
Auditors

© 2024 CyberArk Software Ltd. All rights reserved


Default Directory
Mappings
• Directory mappings are created by the
LDAP Integration Wizard
automatically assigning default Vault
Authorizations with nested group
settings for:
⎼ Vault Users
⎼ Vault Admins
⎼ Safe Managers
⎼ Auditors
• Custom roles can be defined by
modifying existing Directory Maps or
by creating new directory maps
• Only the built-in Administrator can edit
the Directory Mappings.
© 2024 CyberArk Software Ltd. All rights reserved
User Mapping:
Nested groups
External groups are nested in
internal groups to enable the
display of necessary options in the
PVWA
• The external group CyberArk Vault
Admins is added to the internal
Vault Admins group
• The external group CyberArk
Auditors is added to the internal
Vault Admins group

© 2024 CyberArk Software Ltd. All rights reserved


User Mapping:
Vault Admins
After completing the configuration
using the Wizard:
• The AD group CyberArk Vault
Admins will be created in the Vault
and nested under the internal Vault
Admins group.
• LDAP users who are members of
CyberArk Vault Admins will be able
to authenticate to CyberArk using
LDAP authentication.

© 2024 CyberArk Software Ltd. All rights reserved


User Mapping:
Vault Admins
After completing the configuration using the
Wizard:
• The AD group CyberArk Vault Admins will be
created in the Vault and nested under the
internal Vault Admins group.
• LDAP users who are members of CyberArk
Vault Admins will be able to authenticate to
CyberArk using LDAP authentication.
• LDAP users who are members of CyberArk
Vault Admins will receive all Vault
authorizations based on the User Template in
the directory mapping.

© 2024 CyberArk Software Ltd. All rights reserved


User Mapping:
Vault Admins
After completing the configuration using
the Wizard LDAP users who are
members of CyberArk Vault Admins
will be able to:
• Authenticate to CyberArk using LDAP
authentication
• Receive all Vault authorizations based
on the User Template in the directory
mapping
• View Policies, Administration, System
Configuration, Platform Management
and other options

© 2024 CyberArk Software Ltd. All rights reserved


Adding a Filter to
A Group Mapping
• Update the rule to add a filter to the
Groups Mapping Allows you to restrict
which LDAP groups can be listed
when adding groups to Safe
permissions
• It is recommended to restrict the
search to groups that should be used
for CyberArk Safe permissions
• Exclude the groups used for Vault
Authorizations, i.e., CyberArk Vault
Admins, CyberArk Vault Auditors,
CyberArk Vault Users

© 2024 CyberArk Software Ltd. All rights reserved


Configuring Group Mapping Filters
The Branch parameter
restricts where in the LDAP
directory the query will be
executed
Selecting the “Test”
button will execute the
query and display the
The Query Filter shown will results
restrict the search of the
external directory when
adding members to a safe, to
only the groups listed

(&(objectClass=group)(|(CN=Cyber*)(CN=Linux*)(CN=Oracle*)(CN=WindowsAdmin*)(CN=ITManage*)))
© 2024 CyberArk Software Ltd. All rights reserved
Configuring Group Mapping
Filters
• The Query Filter shown will restrict the search
in the external directory when adding members
to a safe
• When searching for external LDAP groups,
only groups that are allowed by the query can
be listed and added as members

(&(objectClass=group)(|(CN=Cyber*)
(CN=Linux*)(CN=Oracle*)(CN=WindowsAdmin*)
(CN=ITManage*)))

© 2024 CyberArk Software Ltd. All rights reserved


SMTP Integration

© 2024 CyberArk Software Ltd. All rights reserved


SMTP Integration
Email integration is critical for vault activity
alerts and notifications and to facilitate
workflow processes.

Prerequisites:
• Have the IP address of the SMTP Gateway
Available.
• Ensure that any necessary firewall rules or
ACLs allow communications from the Vault
Servers to the SMTP Gateway.

© 2024 CyberArk Software Ltd. All rights reserved


Setup Wizard
SMTP setup is configured via
the Setup Wizard

© 2024 CyberArk Software Ltd. All rights reserved


SMTP Settings
SMTP ADDRESS
The IP address of the SMTP server. You can specify
multiple IP addresses for high availability
implementations. Separate multiple IP addresses
with commas.

SENDER EMAIL
The mail address that will appear as the notification
sender.

SENDER DISPLAY NAME


The name that will appear as the sender’s name.

SMTP PORT
The port through which the ENE will send
notifications.

RECIPIENTS DOMAIN
The name of the domain where the recipient’s email
account exists.
PVWA URL
The URL of the machine where the PVWA is
installed (e.g. https://www.myserver.com)

© 2024 CyberArk Software Ltd. All rights reserved


Confirmation Email
Once you click on Finish the initial ENE configuration is saved and the Email notification setup
message appears.

Click Yes to send a test


email to the members of
the Vault Admins group.

© 2024 CyberArk Software Ltd. All rights reserved


Run Wizard Again
• After the ENE has been
configured using the wizard, the
ENE setup wizard will be
disabled
• To enable the ENE setup wizard
set the SMTP address to 1.1.1.1
in System Configuration >
Notification Settings
• CyberArk’s Digital Vault supports
authenticated and encrypted
email notifications

For more information, search


CyberArk online documentation for
“Authenticated and encrypted
email notifications”

© 2024 CyberArk Software Ltd. All rights reserved


SNMP Integration
(or, How to Configure Remote Monitoring)

© 2024 CyberArk Software Ltd. All rights reserved


Purpose
Remote Monitoring relies upon SNMP to send Vault traps to a remote terminal.
This enables users to receive both Operating System and Vault Server information.

• CPU, memory, and disk usage


Operating System
• Event log notifications
Information
• Service status

Component-specific • Password Vault and DR Vault status


information • Password Vault and DR Vault logs

© 2024 CyberArk Software Ltd. All rights reserved


Configure SNMP Integration
CyberArk discourages installing any third-party
monitoring agents. The Digital Vault can send status
information to your monitoring solution using SNMP.

Prerequisites:
• Have IP Addresses of all servers that can accept SNMP
traps available
• Have Community String available
• Provide the Management Information Base (MIB) files to
the SNMP administrator for loading into the management
console. MIB files are included with the Digital Vault
software
• Have a resource from the team responsible for SNMP
monitoring

© 2024 CyberArk Software Ltd. All rights reserved


Configure Remote
Control Agent
• SNMP is enabled by configuring the
Remote-Control Agent during the
initial vault server installation

• If the Remote-Control Agent is not


configured during initial vault
installation, it can be configured
post installation

See “To Configure Remote


Monitoring” on docs.cyberark.com
for step by step instructions

© 2024 CyberArk Software Ltd. All rights reserved


SNMP
Configuration
Configure paragent.ini with the
following information:
SNMPHostIP – The IP address of the
remote computer where SNMP traps
will be sent.
SNMPTrapPort – The port through
which SNMP traps will be sent to the
remote computer.
SNMPCommunity – The name of
location where the SNMP traps
originated.

© 2024 CyberArk Software Ltd. All rights reserved


SNMP
Configuration
• Restart the PrivateArk Remote
Control Agent service to read the
changes made into memory.

• Check with the administrator of the


SNMP console to ensure that the
SNMP messages sent are being
received and are readable.

© 2024 CyberArk Software Ltd. All rights reserved


SIEM Integration

© 2024 CyberArk Software Ltd. All rights reserved


SIEM Integration
SIEM Integration is a powerful way to correlate Privileged Account Usage with
Privileged Account Activity.

• IP addresses of all servers that can accept SYSLOG messages


• The Vault uses any of the following protocols to send messages:
⎼ TLS, TCP or UDP
⎼ Configuring the Vault to use TLS requires a signed Certificate for the syslog server.

© 2024 CyberArk Software Ltd. All rights reserved


SIEM Setup
• Integration with a SIEM means that
Audit log information will be sent to
the SIEM console for aggregation,
reporting and alerting.
• Rename one of the sample
translator files
⎼ Translator files translate CyberArk
logging format into the SIEM
logging format
⎼ These files will cover the most
commonly deployed SIEM systems
⎼ For Splunk integration, download
the Splunk add-on for CyberArk
from the Splunk website.

© 2024 CyberArk Software Ltd. All rights reserved


SIEM Integration

• Add SYSLOG configuration


to dbparm.ini

• The Syslog configuration


allows for multiple IP
addresses and
Message Code filters

© 2024 CyberArk Software Ltd. All rights reserved


SIEM Integration
Using Encrypted
Protocol
SyslogServerIP=192.168.1.1
• The example shows a set of syslog
properties that will send different SyslogServerPort=514
syslog messages to one syslog SyslogServerProtocol-TLS
server using encrypted syslog SyslogTranslatorFile=Syslog\Arcsight.sample.xsl
protocol
SyslogMessageCodeFilter-7,8,295
• The root CA certificate is stored in
SyslogTrustedCAPath=“syslogCA.cer”
the root of the Vault installation
directory UseLegacySyslogFormat=no

More information can be found on


docs.cyberark.com,
“Security Information and Event
Management Applications”

© 2024 CyberArk Software Ltd. All rights reserved


SIEM Integration
• Restart the PrivateArk Server
Service.

• Use the Windows Services applet to


restart, to ensure that service
dependencies restart successfully.

• Check with the administrator of the


SIEM console to ensure that the
SYSLOG messages sent are being
received and are readable.

• Check logs for possible errors and


validation.

© 2024 CyberArk Software Ltd. All rights reserved


Time Synchronization

© 2024 CyberArk Software Ltd. All rights reserved


Purpose
• It is critically important to reduce or eliminate time drift
between the Vault server and CyberArk system components.

• The vault server(s) are standalone and do not participate


in a domain, time synchronization must be configured manually.

• The vault servers must be configured to use NTP to


synchronize system clocks to an external time source.

© 2024 CyberArk Software Ltd. All rights reserved


NTP Integration
NTP integration is also important in
environments where CyberArk is one of
many systems producing security logs, so
that times between all security devices can
be correlated.

Prerequisites:
• IP Address of the Network Time Server
• Open network path for NTP standard port
tcp_123

© 2024 CyberArk Software Ltd. All rights reserved


NTP Integration
Enable the Windows Time service, set to Automatic (Delayed Start)

© 2024 CyberArk Software Ltd. All rights reserved


NTP Integration

• Create a firewall exception in


DBParm.ini to allow the vault to
communicate on the NTP port
tcp_123

• Restart the PrivateArk Server


service to read the changes made
into memory.

© 2024 CyberArk Software Ltd. All rights reserved


NTP Integration
• Run the following command at an
Administrators Command Prompt
W32tm /config
/manualpeerlist:1.1.1.1,2.2.2.2
/syncfromflags:manual /reliable:YES
/update

• Enter the following command to force


the NTP service to refresh its new
configuration
w32tm /resync /rediscover

• Run the following command to check


if the server is now using NTP
w32tm /query /source

• If the output shows one of the servers


in your peer list, the server is now
using NTP

© 2024 CyberArk Software Ltd. All rights reserved


Summary

© 2024 CyberArk Software Ltd. All rights reserved


Summary
In this session we covered:

• LDAP Integration

• SMTP Integration

• SNMP Integration

• SIEM Integration

• NTP Integration

© 2024 CyberArk Software Ltd. All rights reserved

You might also like