CyberArk PAS Integration with LDAP,NTP,SMTP,SIEM,SNMP,Backup,Native Firewall – InfoSec Memo


This publish is to explain the configuration for integrating CyberArk with different widespread enterprise software program or providers. 

Bindusername and bindpassword is the one you entered once you built-in CyberArk along with your LDAP. If for some purpose, you might be having bother to create a brand new mapping , normally there is a matter along with your binding account. You possibly can modify username / password from following configuration location:

Word: as soon as your CyberArk built-in with LDAP, the LDAP integration wizard will gray out. To re-activate LDAP integration wizard, you will want to delete Administration – LDAP integration – Server configuration (eg. 51sectest.com). Additionally delete LDAP listing mapping from PrivateArk consumer.

YouTube: CyberArk PAS 12 0 Lab – 2.1 LDAP Area Integration

12.1 Lab – LDAP & SMTP Integration

SMTP Notification

There are a few steps you will want to verify first earlier than you built-in with SMTP server. Very first thing is to verify ENE service is up and operating. Second factor is to verify your built-in administrator consumer has enterprise e-mail handle affiliate with it. 

  1. Log onto the PrivateArk Administrative Shopper as an administrator consumer.

  2. Guarantee that the enterprise e-mail handle of the consumer who will concern ENE notifications is specified of their consumer properties. This consumer should belong to the Vault Admins group. By default, that is the Administrator consumer.

Word: If that you must run the wizard once more, you possibly can change the IP handle of the SMTP server to 1.1.1.1 and save. Additionally make sure that the Occasion Notification Engine service is operating on the Vault Server.

Concern: PAM Directors not obtain ENE Take a look at e-mail.

Be sure PAM directors accounts have been configured a enterprise e-mail handle. 


NTP

Word: Time synchronization is critically vital in CyberArk PAS structure. Much more so when implementing the CyberArk Cluster Vault Administration resolution. Within the following train we’ll combine each nodes of the cluster vault with an exterior time supply.

1. Logon as Administrator to the passive node of the cluster.
a. Utilizing Home windows File Explorer navigate to ‘C:Program Recordsdata(x86)PrivateArkServerConf’.
2. Edit the dbparm.ini file including the next line to the tip of the file. This may create inbound and outbound firewall guidelines that can enable the vault to speak to the NTP server.
[NTP]
AllowNonStandardFWAddresses=[10.0.0.2],Sure,123:outbound/udp,123:inbound/udp

3. Allow the Home windows Time service utilizing the Home windows Companies applet .
4. Double click on “Home windows Time” to show the service properties.
5. Replace the Startup sort to Automated (Delayed Begin) and click on OK.
6. Begin the Home windows Time service.
7. Repeat the above procedures on the lively node of the cluster earlier than continuing.
8. To commit the adjustments made to the DBParm.ini file, we should restart the PrivateArk Server service.
Word: In an HA Cluster Vault implementation, you possibly can not begin and cease CyberArk providers by way of the traditional interface. Companies have to be restarted utilizing the ClusterVault Administration or CVM interface. To restart the providers, we’ll merely failover to the passive node to commit the adjustments.
9. Guarantee that you’re logged into the lively node of the cluster. Open the CVM to find out the lively and passive node. Solely the lively node is able to manually executing the failover process.
10. Open the CVM on the lively node and click on the middle icon with the opposing arrows to provoke the failover process.
11. Click on Proceed to verify the change
a. Observe the failover progress within the CVM or alternatively monitor “C:Program Recordsdata (x86)PrivateArkServerClusterVaultClusterVaultConsole.log”
b. The log will show the failover sequence.
12. Subsequent, we have to set a particular time skew in order that, if the clock could be very far off, the vault is not going to make too giant of a system time change without delay. This may power the NTP service to alter each half-hour for the primary 3 checks after which each 8 hours. This prevents triggering anti-tampering protections within the vault that may very well be activated by creating new audit entries that happen earlier than current audit entries.
13. Guarantee you might be engaged on the lively node.
14. Open regedit. Browse to HKLMSystemCurrentControlSetServicesW32TimeParameters.
15. Add a brand new DWORD and title it “Interval”.
a. Double click on it and alter the Base to decimal and make the Worth knowledge “65532”.
b. Shut the Registry Editor.
16. Open an Administrative Command immediate and run the next command:
W32tm /config /manualpeerlist:10.0.0.2 /syncfromflags:guide /dependable:YES /replace
17. Failover to the passive node. When failover is full, login to the lively node.
Full steps 13 – 17 on the lively node of the Cluster Vault.
18. Each nodes of the Vault Cluster at the moment are sync’ed to an exterior NTP time supply.

For NTP Shopper Configuration on Vault:

Examine: https://www.netbraintech.com/docs/ie80/assist/configuring-ntp.htm


SIEM Integration / Syslog

Rename one of many pattern translator information
• Translator information translate CyberArk logging format into the SIEM logging format
• These 5 information will cowl essentially the most generally deployed SIEM methods
• The Arcsight translator file  works with Splunk and others

Add SYSLOG configuration to dbparm.ini

C:Program Recordsdata (x86)PrivateArkServerConfdbparm.ini

[MAIN]
TasksCount=20
DateFormat=DD.MM.YY
TimeFormat=HH:MM:SS
ResidentDelay=10
BasePort=1858
LogRetention=7
LockTimeOut=30
DaysForAutoClear=30
DaysForPicturesDistribution=By no means
ClockSyncTolerance=600
TraceArchiveMaxSize=5120
VaultEventNotifications=NotifyOnNewRequest,NotifyOnRejectRequest,NotifyOnConfirmRequestByAll,NotifyOnDeleteRequest
RecoveryPubKey=C:keysoperatorRecPub.key
ServerKey=C:keysoperatorServer.key
StagingAreaDirectory=C:PrivateArkStagingArea
EntropyFile=C:PrivateArkSafesentropy.rnd
DatabaseConnectionPasswordFile=C:keysoperatorVaultUser.move
ServerCertificateFile=C:keysoperatorServer.pem
ServerPrivateKey=C:keysoperatorServer.pvk
*AllowedVirusSafeFileTypes=DOC,DOT,XLS,XLT,EPS,BMP,GIF,TGA,TIF,TIFF,LOG,TXT,PAL,,
AutoClearSafeHistory=Sure,1,1,2
AutoClearUserHistory=Sure,1,3,4
AutoSyncExternalObjects=Sure,1,23,24
DebugLevel=PE(1),PERF(1,2)
VaultId=3efd1eb0-7012-11e9-8329-63fd6b776400
DefaultTimeout=30
PooledSocketTimeout=600
RecoveryPrvKey=D:RecPrv.key
EnablePreDefinedUsers=ALL
AutomaticallyAddBuiltInGroups=”Backup Customers,DR Customers,Operators,Auditors,Notification Engines”
LicenseUsageAlertLevel=85,90,99
MaxTasksAllocation=8(CPM,AIMApp,AppPrv):7-23,16(CPM,AIMApp,AppPrv):23-7,1(PTAApp)
AllowNonStandardFWAddresses=[17.23.1.5],Sure,3389:outbound/udp,3389:inbound/udp
AllowNonStandardFWAddresses=[17.23.1.5],Sure,3389:outbound/tcp,3389:inbound/tcp
AllowNonStandardFWAddresses=[17.23.1.2],Sure,514:outbound/udp,514:inbound/udp
AllowNonStandardFWAddresses=[17.23.1.4],Sure,514:outbound/udp,514:inbound/udp
AllowNonStandardFWAddresses=[17.21.1.6],Sure,25:outbound/tcp
AllowNonStandardFWAddresses=[10.1.4.1],Sure,25:outbound/tcp
ComponentNotificationThreshold=PIMProvider,Sure,30,1440;AppProvider,Sure,30,1440;OPMProvider,Sure,30,1440;CPM,Sure,720,1440;PVWA,Sure,90,1440;PSM,Sure,30,1440;DCAUser,Sure,60,2880;SFE,Sure,10,2880;FTP,Sure,60,2880;ENE,Sure,60,360
UserLockoutPeriodInMinutes=-1
MaskUserIsSuspendedMessage=No
TerminateOnDBErrorCodes=2003
[BACKUP]
BackupKey=C:keysoperatorBackup.key
[CRYPTO]
SymCipherAlg=AES-256
ASymCipherAlg=RSA-2048
[SYSLOG]
SyslogTranslatorFile=SyslogArcSight.xsl
SyslogServerPort=514
*SyslogTranslatorFile=SyslogArcSight.xsl,SyslogPTA.xsl
*SyslogServerPort=514,11514
SyslogServerIP=172.23.1.22,172.23.1.34
*SyslogServerProtocol=TCP,UDP
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=0-999
SyslogSendBOMPrefix=No
UseLegacySyslogFormat=No
SendMonitoringMessage=No

• Restart the PrivateArk Server Service.
• Use the Home windows Companies applet to restart, to make sure that service dependencies restart efficiently.


SNMP

Configure paragent.ini with the next info:
• SNMPHostIP The IP handle of the distant laptop the place SNMP traps might be despatched.
• SNMPTrapPort The port by way of which SNMP traps might be despatched to the distant laptop.
• SNMPCommunity The title of location the place the SNMP traps originated.

• Restart the PrivateArk Distant Management Agent  service to learn the adjustments made into reminiscence.
• Examine with the administrator of the SNMP console to make sure that the SNMP messages despatched are
being acquired and are readable.


Vault Backup Steps

Step 1: The Vault Backup utility (PAReplicate.exe) generates a metadata backup within the Vault’s Metadata Backup folder, then exports the contents of the Knowledge folder and the contents of the Metadata Backup folder to the pc on which the Backup utility is put in.

Step 2: After the replication course of is full, the exterior backup utility copies all of the information from the replicated Knowledge folder and the Metadata folder.

Maintain the replicated information on the Backup utility machine after the exterior backup utility copies all of the information. The subsequent time you run the Backup utility to the identical location, it is going to replace solely the modified information and scale back the time of the replication.

Backup folder:

C:PrivateArkSafesMetaData


CMD Backup

Script:

@echo off
cd “c:Program Recordsdata (x86)PrivateArkReplicate”
echo %date% %time% Begin of process > ReplicateBatch.log
echo Person=%UserName%, Path=%path% >> ReplicateBatch.log
PAReplicate.exe Vault.ini /logonfromfile consumer.ini /fullbackup 1>> ReplicateBatch.log 2>> ReplicateBatch.err
echo %date% %time% Finish of process >> ReplicateBatch.log

Scheduled Job:

  • Runas Native System (run with highest privileges set)

  • Program/script: “c:Program Recordsdata (x86)PrivateArkReplicatePAReplicate.exe”

  • Add arguments: vault.ini /logonfromfile consumer.ini /fullbackup

  • Begin in: c:Program Recordsdata (x86)PrivateArkReplicate

Firewall on Vault

After vault has been hardened, right here is how Home windows Firewall with Superior Safety seems like:

Mistaken One

Proper One

Solely having CyberArk hardening course of created guidelines. No different exterior configuration firewall guidelines. 



Source_link

Leave a Reply

Your email address will not be published.