CyberArk P-Cloud (CyberArk Privilege Cloud) Identity Deployment

congcong 好物分享

This post summarizs the steps to deploy your P-Cloud.

Other posts:

Privilege Cloud Interface

Once you subscribed P-Cloud, you will get an activation email to activate your account. 
Your account will looks like cludadminjnetsec@

cyberark.cloud.1234
Your email will be used as MFA to authenticate your access to your p-cloud environment.
P-cloud url : https://<company name>.

cyberark.cloud
After logged in, it will look like this:

Connector Server 

1 CyberArk Identity Connector Service

Creates a secure Websocket Tunnel between the Identity tenant and the on premise LDAPS system

LDAPS , Radius

2 CyberArk Password Manager

All password management and rotation capabilities

3 CyberArk Privileged Session Manager

4 CyberArk Privilege Cloud Secure tunnel Service

SIEM and HTML5 Gateway integration

5 Install Identity Connector


6 From Connector Management, generate script to install Connector Management Agent

Once you successfully run the script, you will be able to deploy CPM and PSM through Connector Management agent to connector servers.

7 Applying the hardening GPO

Local security policies are configured during installation.

One unified domain GPO (for CPM and PSM) must be applied at domain level. 


8 Enabling MFA

a. Authentication Profile

b. MFA policy

The Vault and Its Clients

Pre-implementation

 1 Server Sizing

  • Separate CPM and PSM if needed
    • PSM and CPM will have different size requirements 
      • PSM (1-10, 11-50, 51-100) sessions
      • CPM (<1000, 1000-20000,20000-100000, 100000+ ) managed passwords

2 Minimum Server requirements
  • 8 Cores, 8GB RAM
  • Windows Server 2016 or 2019
  • Domain Joined (for full PSM features)
  • All connector servers need to be deployed into an OU that has GPO inheritance disabled

3 Design Consideration for Architecture
  • Components : PSM, CPM, Identity Connector (2 for resilience ), Secure Tunnel (2)
  • PSM best practice for HA
  • CPM Active /DR best practice
  • AAM  - separate VM
  • PSM for Unix - Separate
4  LDAP Requiremetns
  • Domain Joined
  • LDAPS
  • Read permissions on the deleted objects container
    • Domain admin
    • Delegate read permissions to a service account
    • https://
      docs.cyberark.com

      /Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/CoreServices/Connector/Add-AD.htm?tocpath=Setup%7CAdd%20Users%7CAdd%20users%20from%20an%20external%20directory%20service%7C_____1#Userandpermissionrequirements

5  RDS 
  • RDS license server
  • RDS Cal on your connector server
    • Windows 2019 Per-User CAL if Connector Server OS is 2019
    • Per-device CAL
  • RDS should not be installed prior to the implementation
6  Firewall

7  Verify Prerequisites
- Troubleshooting flag
  • script to validate required network traffic and local settings: https://
    cyberark-customers.force.com

    /s/article/Privilege-Cloud-How-to-run-the-PSMCheck

  • Privilege Cloud Checklist: https://
    cyberark-customers.force.com

    /s/article/Privilege-Cloud-Remote-Access-PreImplementation-Checklist

  • Remtoe Access for Privilege Cloud: https://
    cyberark-customers.force.com

    /s/article/Privilege-Cloud-PreImplementation-Checklist

Identity Connector Installation

 CyberArk Identity Connector

  • installeruser 
    • reset passowrd. and password will expire 24 hours
    • No MFA

Connector Management

Install Connector to a new Connector server

To deploy a new connector, you first generate the installation script and then run it on the connector host machine.

To perform the following steps, your user must be assigned to the System Administrator role in Identity Administration.

  1. Sign in to the CyberArk Identity Security Platform Shared Services using the link provided in the CyberArk email.

  2. Click the service picker, and select Connector Management.

  3. On the Connectors page, click Add a connector.

  4. In the Add connector wizard > Define installation details tab define the following details for the Management Agent in the host machine:

  1. Click Next.

  2. In the Copy installation script tab, review the connector settings you defined:

Click Copy script to later copy it to the connector host machine.

The script is available for 5 minutes.

Optionally:

  • Click Renew to renew the script availability for an additional 5 minutes

  • Click Preview to view the script format

Click Close.

https://

docs.cyberark.com

/ConnectorManagement/Latest/en/Content/Setup/CM_AddConnector.htm?tocpath=Setup%7C_____2#Addaconnector1


Upgrade CPM and Other Components

At this moment, Jan 2024, it is still not able to upgrade PSM from Connector Management page.

Connector shows components details

Upgrade Components page

You will need to get your [email protected] credential to process. Reset the installeruser password first since it will be changed in 24 hours after reset.

CyberArk Related Services on Connector Server

1. CPM Scanner
2. Identity Connector
3. Management Agent
4. CPM
5. Cloud Secure Tennel
6. PSM

External IDP Configuration (ADFS)

ADFS Windows Server Configuration:

AD FS Management Certifications:
1. Service Communications
2. Token-decryption
3. Token-signing

Access Control Policies

Pelying Party Trusts

CyberArk_Priv_Cloud Configuration:

CyberArk Identity Administration:

Settings - Users - External Identity Providers

Configure Identity Services

Using "CyberArk Service Users - No MFA" as an example:

Create Users

Create / Modify Role - Add Members

Create Policies

Choose the Authenticiation Policy you will use for CyberArk Identity

Authentication Profile: Configured as only Password.
To look into all authentication profiles, you can check the page at Settings - Authentication:

For most of users, the policy which will be applied is Default Policy as show below:

Default Policy in Core Services - Policies is using Default Other Login Profile, which is using 2FA for authentication.

CyberArk Useful Links

https://blog.51sec.org

版权声明:
作者:congcong
链接:https://www.techfm.club/p/215170.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>