CYBERARK UNIVERSITY

Integrations

CyberArk Training
1
OBJECTIVES

By the end of this session you will be able to:

• Describe the main purpose for integrating CyberArk with other enterprise software, namely:
• LDAP
• SMTP
• SNMP
• SIEM
• NTP
• Integrate CyberArk with other Enterprise Software

2
LDAP INTEGRATION

3
PURPOSE

• The Privileged Account Security solution can be configured to manage users transparently through
a centralized User database, such as LDAP.
• The Privileged Account Security solution is a full LDAP (Lightweight Directory Access Protocol)
client, which communicates with LDAP-compliant directory servers to obtain User identification
and security information.
• This enables the automatic provisioning and creation of unique and individual users based upon
the external group membership and attributes.

4
PREREQUISITES

• Create an LDAP Bind account with READ ONLY access to the directory.
• Have the User Name, Password, and DN available.

• Create three LDAP groups for granting access to the vault.

• CyberArk Administrators
• CyberArk Auditors
• CyberArk Users

• We strongly recommend you use LDAP/S

• This insures that all of the traffic between the Domain Controller or LDAP authenticating Server and the
Vault is encrypted
• Install the Root Certificate for the CA that issued the certificate on the directory servers to the Vault Servers.
• Create a hosts file on the vault servers to manually resolve directory server names.

5
LDAP OVER SSL

• Import the CA Certificate

that signed the certificate
used by the External
Directory into the Vault
server certificate store.
• Configure the DNS of the
LDAP host in the hosts file

6
LDAP SETUP WIZARD

• The first LDAP Integration

is done via the setup
wizard in the PVWA
• Additional directories can
be integrated manually in
the PVWA

7
LDAP CONNECTION DETAILS

• Name – Typically the domain name

• Directory Type - LDAP Profile (e.g. AD)

• Address - Address of the LDAP server.

• Port – The port that will be used to access the

specified server. The standard port for SSL LDAP
connections is 636.

• LDAP Bind User and Password - A user with read

access to LDAP

• LDAP Base Context - The base context containing

your user and groups

• LDAP Bind Context – The base context of the

External Directory

8
CONFIGURE DIRECTORY MAPPING AND COMPLETE INTEGRATION

• Using the Wizard you can map typical

Privileged Account Security roles to groups in
the LDAP.
• Users who belong to these LDAP groups will
be automatically assigned to the relevant roles
in the Privileged Account Security system.

9
TRANSPARENT PROVISIONING

• Using the PrivateArk Client, under Users and

Groups. you can see the white icons are used
to indicate which users are externally
authenticated

• If you delete a user within CyberArk, it will be

automatically re-created upon login if it still exists
within AD and is still a member of one of the
groups defined in a Directory Mapping

• To permanently delete a user, it would have to be

removed from all groups that have a directory
mapping or deleted from the external directory.

• A process runs daily that checks which users

map to the various queries. If a user is removed
in AD the user will be removed from CyberArk

10
LDAP SYNCHRONIZATION

The following parameter

determines if and when
the Vault’s External users AutoSyncExternalObjects=Yes,24,1,5
and groups will be
synchronized with the
External Directory.
In the DBParm.ini file: Whether or
The number The hours
not to sync
of hours in during which
with the
one period the sync will
External
cycle take place
Directory

11
LDAP INTEGRATION
(DIRECTORY MAPPING)

12
DIRECTORY MAPPING OVERVIEW

• User Mapping – allows

for authentication and
Active Directory Vault
defines user’s attributes,
such as Vault
Authentication
Authorizations and Vault Authorizations
Location User Mapping
Add User
Add Safe

• Group Mapping – makes Etc…

LDAP groups searchable Safe Authorizations

from within CyberArk and
Group Mapping
allows mapped LDAP
groups to be granted Safe
authorizations based upon CyberArk Groups
group membership. Vault Admins
Auditors

13
PREDEFINED DIRECTORY MAPPING

• When the first directory is configured using the

setup wizard, pre-defined directory mappings
are created automatically with standard Vault
Authorizations and nested group settings for:
Vault Users, Vault Admins, and Auditors.
• You can use these directory maps immediately,
modify them with relevant mapping rules, or
create new directory maps using the
PrivateArk Client.
• Note that only the built-in Administrator user
can edit the Directory Mappings.

14
USER MAPPING: VAULT ADMINS (1)

• After completing the

configuration using the
Wizard:
• the AD group CyberArk
Vault Admins will be
created in the Vault and
nested under the internal
Vault Admins group.

15
USER MAPPING: VAULT ADMINS (2)

• After completing the

configuration using the
Wizard:
• the AD group CyberArk
Vault Admins will be
created in the Vault and
nested under the internal
Vault Admins group.
• LDAP users who are
members of CyberArk
Vault Admins will be able
to authenticate to
CyberArk using LDAP
authentication.

16
USER MAPPING: VAULT ADMINS (3)

• After completing the configuration using the

Wizard:
• the AD group CyberArk Vault Admins will be
created in the Vault and nested under the
internal Vault Admins group.
• LDAP users who are members of CyberArk
Vault Admins will be able to authenticate to
CyberArk using LDAP authentication.
• LDAP users who are members of CyberArk
Vault Admins will receive all Vault
authorizations based on the User Template in
the directory mapping.

17
USER MAPPING: VAULT ADMINS (4)

• After completing the configuration using the

Wizard LDAP users who are members of
CyberArk Vault Admins will be able to:
• authenticate to CyberArk using LDAP
authentication.
• receive all Vault authorizations based on the
User Template in the directory mapping.
• see the ADMINISTRATION tab in the PVWA.

18
ADDING A FILTER TO A GROUP MAPPING

• Adding a filter to Groups Mapping Allows you

to restrict which LDAP groups can be listed
when adding groups to Safe permissions
• You want to restrict the search to groups that
should be used for CyberArk Safe Access
• Exclude the groups used for Vault
Authorizations, i.e., CyberArk Vault Admins,
CyberArk Vault Auditors, CyberArk Vault Users

19
CONFIGURING GROUP MAPPING FILTERS

• This Query Filter will

restrict the search within
AD when adding members
to a safe, to only the
groups listed.

(&(objectclass=group)(|(CN=LinuxAdmins*)
(CN=WindowsAdmin*)(CN=ITManage*)(CN=Cyber*)))

20
CONFIGURING GROUP MAPPING FILTERS

• This Query Filter will

restrict the search within
AD when adding members
to a safe, to only the
groups listed.
• When searching for AD
groups, only groups that
answer the query can be
listed and added as
members

(&(objectclass=group)(|(CN=LinuxAdmins*)
(CN=WindowsAdmin*)(CN=ITManage*)(CN=Cyber*)))

21
SMTP INTEGRATION

22
SMTP INTEGRATION

Email integration is critical for vault activity email notifications and to

facilitate workflow processes.
Prerequisites:
• Have the IP address of the SMTP Gateway Available.
• Ensure that any necessary firewall rules or ACLs allow
communications from the Vault Servers to the
SMTP Gateway.

23
SETUP WIZARD

• SMTP setup is configured

via the Setup Wizard

24
SMTP SETTINGS

• SMTP address – The IP address of the SMTP

server. You can specify multiple IP addresses
for high availability implementations. Separate
multiple IP addresses with commas.
• Sender Email – The mail address that will
appear as the notification sender.
• Sender Display Name – The name that will
appear as the sender’s name.
• SMTP Port – The port through which the ENE
will send notifications.
• Recipients Domain – The name of the
domain where the recipient’s email account
exists.
• PVWA URL – The URL of the machine where
the PVWA is installed (e.g.
https://www.myserver.com)

25
CONFIRMATION EMAIL

• Once you click on Finish the initial ENE

configuration is saved and the Email
notification setup message appears.
• Click Yes to send a test email to the members
of the Vault Admins group.

26
RUN WIZARD AGAIN

• After the ENE has been

configured using the
wizard, the ENE setup
wizard will be disabled.
• To rerun the ENE setup
wizard, in the Notification
Settings page, set the
SMTP address to 1.1.1.1

27
 SNMP INTEGRATION
(OR, HOW TO CONFIGURE REMOTE MONITORING)

28
PURPOSE

• Remote Monitoring relies upon SNMP to send Vault traps to a remote terminal. This enables users to
receive both Operating System and Vault Server information.

• CPU, memory, and disk usage

Operating System
• Event log notifications
information:
• Service status

Component-specific • Password Vault and DR Vault status

information: • Password Vault and DR Vault logs

29
CONFIGURE REMOTE MONITORING

We discourage installing any third-party monitoring agents. CyberArk can send status information to
your monitoring solution using SNMP.
Prerequisites:
• Have IP Addresses of all servers that can accept SNMP traps available.
• Have Community String available.
• Provide the Management Information Base (MIB) files to the SNMP administrator for
loading into the management console.
• Have a resource from the team responsible for SNMP monitoring

30
CONFIGURE REMOTE CONTROL AGENT

• SNMP is enabled by
configuring the Remote
Control Agent during the
initial vault server
installation.
• If the RCAgent is not
configured during initial
vault installation, it can be
configured post
installation.

• See “To Configure Remote

Monitoring” in the PAS
Implementation Guide for
step by step instructions.

31
SNMP SETUP

• Configure paragent.ini with

the following information:
• SNMPHostIP – The IP
address of the remote
computer where SNMP
traps will be sent.
• SNMPTrapPort – The
port through which
SNMP traps will be sent
to the remote computer.
• SNMPCommunity – The
name of location where
the SNMP traps
originated.

32
RESTART RCA AND TEST SNMP

• Restart the PrivateArk

Remote Control Agent
service to read the
changes made into
memory.
• Check with the
administrator of the SNMP
console to ensure that the
SNMP messages sent are
being received and are
readable.

33
SIEM INTEGRATION

34
SIEM INTEGRATION

SIEM Integration is a powerful way to correlate

Privileged Account Usage with Privileged Account Activity.
• Have IP addresses of all servers that can accept
SYSLOG information available.
• Have a resource from the team responsible for
SYSLOG servers available.

35
SIEM SETUP

• We will be sending Audit

log information to the
SIEM.
• Rename one of the
sample translator files
• Translator files translate
CyberArk logging format
into the SIEM logging
format
• These five files will cover
the most commonly
deployed SIEM systems
• The Arcsight translator
file works with Splunk
and others

36
SIEM INTEGRATION

• Add SYSLOG
configuration to dbparm.ini
• Current functionality
allows multiple IP
addresses and Message
Code filters, but only if the
servers communicate on
the same port and protocol

37
RESTART AND TEST

• Restart the PrivateArk

Server Service
• Check with the
administrator of the SIEM
console to ensure that the
SYSLOG messages sent
are being received and are
readable.

38
TIME SYNCHRONIZATION

39
PURPOSE

• The vault server(s) are standalone and do not participate in

a domain, where time synchronization of domain members
occurs automatically.
• The vault servers must be configured to use NTP to
synchronize system clocks to an external time source.

40
NTP INTEGRATION

NTP integration can be important in environments where CyberArk is one of many system producing
security logs, so that times between all security devices will correlate.

Prerequisites: • IP Address of the Network Time Server.

41
NTP INTEGRATION

• Enable the Windows Time

service, set to Automatic
(Delayed Start)
• Run the following
command to ensure that
the service is not
automatically stopped on
boot, as it is not a member
of a domain:
• sc triggerinfo w32time
delete

42
NTP INTEGRATION

• Create a firewall exception

in DBParm.ini to allow the
vault to communicate on
the NTP port tcp_123
• Restart the PrivateArk
Server service to read the
changes made into
memory.

43
NTP INTEGRATION

• Set a special time skew to

prevent very large
changes to the system
clock.
• HKLM\System\CurrentC
ontrolSet\Services\W32T
ime\Parameters\Period=
65532

• Run the following

command
• W32tm /config
/manualpeerlist:X.X.X.X
/syncfromflags:manual
/reliable:YES /update

• Reference published
solution number 00001769

44
SUMMARY

45
SUMMARY

In this session we covered:

• LDAP Integration

• SMTP Integration
• SNMP Integration
• SIEM Integration
• NTP Integration

46
THANK YOU

47