CyberArk SIA (Secure Infrastructure Access) Connector (DPA)

congcong 好物分享

The Connector Management service mediates between your environment and CyberArk's ISPSS services. It enables you to manage CyberArk components and deploy communication tunnels between your organization and CyberArk's cloud environment.

The Connector Management agent is an on-premises component installed on the customer machine to run local CyberArk functions.

The connector installation script includes the agent setup files, certificate, and ID file. The connector installation script contains a secret token for authentication, which expires after five minutes, for security reasons. If the security token expires, you can reload the script, which contains a new security token.

This post is to summarize the steps for installing DPA Connector to your existing CyberArk Connector Servers at on-prem. 

Introduction

 https://docs.cyberark.com/ispss-deployment/latest/en/content/setup/dpa_install-connector.htm

The connector is installed in the following location on the host machine: %ProgramFiles%/CyberArk/DPAConnector.

The connector log files are written to %ProgramFiles%/CyberArk/DPAConnector/Logs/connector.log.

The maximum size for a single log file is 10 MB. When the current log file reaches this size, a timestamp is added to the file name and a new connector.log file is created. When the amount of log files reaches 10 (total 100MB), the oldest log file is deleted.

Roles 

For admin who wants to have access to Secure Infrastructure Access page, you will need a specific role permission. 

DpaAdmin - The primary administrative role for the Dynamic Privilege Access service

Configure a connector

1 Add a connector to a selected pool

Usually the selected pool is your current pool for your existing legacy connector, which will be end of life at the end of 2025. 

2 Select an OS platform: Linux or Windows

3 Kee a default configuration

4 Copy generated script 

5 Run copied script in an administrator powershell window


6 CyberArk DPA Connector Service

Check Certificates

 

In case there is certificate error. You can disable TLS Certificate Validation

Eventually you will need to import the proper root ca cert and intermediate ca cert, although it has automtically imported , sometimes, it will be some mistakes there. 
Get a proper intermediate ca cert from one of your PSM servers:
1 Based on server manager's Remote Desktop Services Certificates info, you can easily find it out from Certificates console

2 Certificates Console - Copy to file



3 Go through Certificate Export Wizard
Some options:
No, do not export the private key
Base-64 encoded X.509 (.CER)


4 Import into SIC Certificate page

Privilege Cloud Configuration Options

 



1 Find out new html 5 gateway name



2 Make sure all your psm gateways are using this new Gateway
Including your PSMServer load balancer vip one, you will need to make this change. 

3 After confirmed all is working, you can remove legacy secure tunnel:
CyberArk Privilege Cloud Secure Tunnel

References

  • https://docs.cyberark.com/ispss-deployment/latest/en/content/setup/dpa_install-connector.htm

https://blog.51sec.org

版权声明:
作者:congcong
链接:https://www.techfm.club/p/226068.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>