Configure dual accounts

This topic describes how to configure dual account password management.

To support rotation of the two accounts before a Central Policy Manager password change, the two accounts are grouped into a rotational group.

This feature supports rotation of precisely two accounts only.

Account rotation flow

Under rotational group platform configuration:

The CPM detects that the rotational group requires a password change, based on its platform settings.
DualAccountStatus of both accounts is switched between Active and Inactive.
The CurrInd of the group is updated to the index of the active account.
The inactive account is marked for a password change.
Based on the GracePeriod property of the Rotational group platform, the password change is delayed, allowing the Credential Provider to refresh its cache and start working with the current active account.
When the grace period has ended, the CPM initiates a password change task for the inactive account.

Configure support for dual account password management

This section describes how to configure dual account password management.

If your account platforms have the address, username, password, and account properties, and no other mandatory properties, you can configure dual account password management using:

A single script from GitHub (Privileged Access Security (PAS) v12.1 (and later) users)
A template and scripts from the CyberArk Marketplace (Privilege Cloud and PAS users)

This is the recommended approach for such account platforms.

For account platforms that do not include these properties or that have other mandatory properties, use the manual configuration.

Recommended: Configure using a single script from the CyberArk Marketplace (PAS v12.1 users only)

This section describes how to configure dual account password management using a single script from the CyberArk Marketplace.

This script is used to create and configure two new accounts as a dual account pair; it cannot include an existing account in a dual account pair.

Make sure that any account that you wish to include in a dual account pair does not already exist.

Prerequisite

Download the Dual Account Creation script from GitHub:
- DualAccount-Creation.ps1

Configure the script

Policy-DualAccount-Creation.json is the configuration file for the Dual Account Creation script that creates dual account pair. The configuration file contains all mandatory and optional properties required for creating the dual account pair.

Before you run the script, fill in the required details as follows:

Parameter	Description	Default value
PVWAURL	The URL address of your PVWA Type: URL Required: Yes
PlatformSampleTemplate	The full path of the sample platform for Rotational Groups, including the ZIP file name (Rotational Group.zip) Type: Full file path Required: Yes
PlatformID	The ID of the platform for your dual account pair Type: String Required: Yes
VirtualUserName	The name that the application uses to request access to the dual account pair secrets Type: String Required: Yes
SafeName	The Safe used to store the dual account pair Type: String Required: Yes
GroupName	The group for the dual account pair - used for rotating the accounts Type: String Required: Yes
AccountDelimiter	The character used to separate the properties of the account. Make sure that this character is not used in any of the properties. Type: Char Required: No	@
ListDelimiter	The character used to separate the two accounts in the dual account pair. Make sure that this character is not used in either of the accounts' names. Type: Char Required: No	;
GracePeriod	The number of minutes between the rotation of roles between the accounts (Active / Inactive) and the beginning of the password change process for the current inactive account Type: Numeric Required: No	6
LogFileFullPath	The path where your log file is saved, including the log file name (Log-DualAccount.log). Make sure that you have write permissions to this folder. Type: Full file path Required: No	<Script location>
LogDebugLevel	If enabled, additional information is written to the log file. This is useful when having issues with the script. Type: Boolean Required: No	False
LogVerboseLevel	If enabled, additional information is written to the log file. This includes more information about the technical flow. Type: Boolean Required: No	False
DisableSSLVerify	If enabled, SSL verification is disabled and self-signed SSL certificates are bypassed. We recommend that you do not enable this feature. Type: Boolean Required: No	False

Run the Dual Account Creation script

The Dual Account Creation script (DualAccount-Creation.ps1) creates and performs the necessary changes on the platform and in the account properties to enable the accounts to work as a dual accounts pair.

Run the following command:

powershell DualAccount-Creation.ps1 -PASUserName <string> -PASPassword <string> -AccountList <string> -AuthenticationType <string> -ConfigFileFullPath <string>

For AccountList, combine the username, IP address, and either the password or the path of the SSH key file including the file name, as follows:

Using the password:

[USER_NAME1]@[IP_ADDRESS]@[PASSWORD];[USER_NAME2]@[IP_ADDRESS]@[PASSWORD]

Using the path of the SSH key file:

[USER_NAME1]@[IP_ADDRESS]@[SSH_KEY_PATH];[USER_NAME2]@[IP_ADDRESS]@[SSH_KEY_PATH]

Parameter	Description	Default value
PASUserName	The Vault/PVWA username Type: String Required: Yes	-
PASPassword	The Vault/PVWA password Type: String Required: Yes	-
AccountList	The credentials of the accounts that you want to create Type: String Required: Yes	-
AuthenticationType	The type of authentication for logging on Available values: CyberArk, LDAP, RADIUS. Type: String Required: No	CyberArk
ConfigFileFullPath	The full path to the configuration file including the configuration file name (Policy-DualAccount-Creation.json). Make sure that you have write permissions to this folder. Type: Full file path Required: No	<Script location>

You can view the Dual Account Creation script's progress and status in the Console and in the log file (by default, called Log-DualAccount.log).

(Optional) Use a different Rotational Group platform

To use a different Rotational Group platform for your dual account pair (not the default platform):
1. Log on to the PWVA as admin.
2. Duplicate the Rotational Group platform and change the GracePeriod as desired.
3. For each dual account pair that is to work with the duplicated platform, update its rotational group platform with the duplicated platform.
Test your dual account pair
1. Go to PVWA > Accounts > Account Details and select your dual account pair.
2. Select one of the accounts and, on the CPM tab, click Display. Both accounts appear in the same group, where one account is active and the other is inactive (see the Status field).
3. Using the dual account pair's virtual username, retrieve the dual account pair's password. The password retrieved should be the password of the active account.
4. Trigger a CPM rotation for one of the accounts or wait for this to happen on its own.
5. Using the dual account pair's virtual username, again retrieve the dual account pair's password.
6. Verify that the currently active account is the account that was inactive in step b.

Configure using templates and scripts from the CyberArk Marketplace (For Privilege Cloud and PAS users)

This section describes how to configure dual account password management using a template and scripts from the CyberArk Marketplace.

In you are working with PAS v12.1, we recommend configuring dual accounts using a single script, described in the section above.

Prerequisite

Download the required resources from the CyberArk Marketplace:

Create and configure a rotational group platform

Import the Rotational Groups Platform Sample ZIP file that you downloaded in step 1.

This step is optional. If you already have a rotational group platform set up that addresses all dual account pairs and their needs, you can reuse that one. Make sure that its policy type is set to Group: Under Automatic Password Management > General, for PolicyType, select Group.

To import the sample platform, in the PVWA/Privilege Cloud portal go to Administration > Platform Management and click Import platform.

The imported rotational group, Sample Rotational Group, appears under the Misc platform.

Right-click Sample Rotational Group or the rotational group that you want to use, and select Edit.
Under Automatic Password Management > General, for PolicyType, select Group, and click OK.

Create a Dual Account platform

In this step, you run the Convert-Platform-DualAccount.ps1 script (downloaded in step 1) which copies a selected platform and converts it into a corresponding platform that supports dual account pairs.

If the platform already has a corresponding dual account platform, you can skip this step.

Run the Convert-Platform-DualAccount.ps1 script, substituting <Platform_ID> with the ID of the platform you want to convert to a dual account platform:

.\Convert-Platform-DualAccount.ps1 -PVWAURL "< PVWA/PrivCloud_URL >" -PlatformID "<Platform_ID>"

For example (for PAS), to convert the Unix via SSH platform, run:

.\Convert-Platform-DualAccount.ps1 -PVWAURL "https://<hostname>.cyber-ark.co.il/passwordvault" -PlatformID "UnixSSH"

When prompted, enter your Vault/Privilege Cloud credentials.
When the script finishes running, the new platform, <Platform name> Dual Account, appears in the PVWA/Privilege Cloud in Administration > Platform Management.

For example, for Unix via SSH accounts in the PVWA/Privilege Cloud, the Unix via SSH Dual Account platform is created.

To see the new platform's properties, right-click the platform and select Edit.

Under UI & Workflows > Properties > Optional, the Index, DualAccountStatus, and VirtualUserName properties appear, indicating that this platform supports dual account pairs.

Create a dual account pair

In this step , you run the Create-DualAccount.ps1 script (downloaded in step 1) which creates two accounts (a dual account pair) and adds them to a rotational group. This allows an application to work with the dual account pair, where one account is active and the other is inactive.

Make sure you have a Safe for the dual account pair. If not, create one. For details, see the Privileged Access Security docs.

Run the Create-DualAccount.ps1 script, substituting <PVWA/PrivCloud_URL> with the PVWA/Privilege Cloud URL:

.\Create-DualAccount.ps1 -PVWAURL "<PVWA/PrivCloud_URL>" -Interactive

For example, for PAS:

.\Create-DualAccount.ps1 -PVWAURL "https://<hostname>.cyber-ark.co.il/passwordvault" -Interactive

When prompted, enter your PVWA/Privilege Cloud credentials.

When the script starts, enter the following information:

Parameter	Description
Application Virtual User Name	The name that the application used to access the dual account pair. We recommend that you define a unique virtual user name for each pair.
Application Safe Name	The Safe for the dual account pair.
Dual Account Platform ID	The ID of the Dual Account platform you created in step 3.
Rotational Group Platform ID	The ID of the rotational group platform that you configured in step 2.

When prompted, enter the credentials of the first account that you want to create.

For the User name, combine the username and the IP address as follows:

<USER_NAME>@<IP_ADDRESS>

For example:

account1@1.1.1.1

Repeat step e for the second account.

To see the new accounts in the PVWA/Privilege Cloud, go to Accounts and click Additional details & actions in classic interface.

Select one of the accounts in the dual account pair you created. At the bottom of the CPM pane, click Display to view the details of the dual account pair. Note that only one account is Active.

For more information about viewing accounts, see:

PVWA: View accounts
Privilege Cloud: Manage your accounts

Configure the rotational group's Automatic Password Management settings
1. In the PVWA/Privilege Cloud portal, go to Administration > Platform Management > Groups.
2. Right-click the rotational group platform that you configured in step 2 and select Edit.
3. Under Automatic Password Management > General, for PolicyType select RotationalGroup.
4. (Optional) Under Automatic Password Management > Additional Policy Settings > Parameters, update the GracePeriod value. The default grace period is 6 minutes.
  
  The GracePeriod value is the number of minutes between the rotation of roles between the accounts (Active/Inactive) and the beginning of the password change process for the current Inactive Account.
  
  This enforces a delay that ensures there is no discrepancies between the account being used by the application and the one having its password rotated, similar to the StartChangeNotBefore property used in single account management.
  
  It is recommended that the GracePeriod value is set to be 3 times longer than the CacheRefreshInterval of the Credential Provider. The CacheRefreshInterval parameter is stored in the main configuration file in the vault.
For more information about configuring rotational group platforms, see:
- PVWA: Rotational Group Platforms
- Privilege Cloud: Rotational Group Platforms
Save the platform.

Configure manually (PAS users only)

This section describes how to configure dual account password management manually.

Privilege Cloud does not support manual dual accounts configuration. Configure dual accounts using templates and scripts from the Marketplace.

Configure a rotational group platform

Configure the platform that will be used by the Group Object.

Do this step for each platform setting. If one platform setting addresses all Dual Accounts’ pairs and their needs, it may be reused.

In PVWA’s Platform Management:

Duplicate the Sample Password Group Platform template.
Rename the platform to represent its purpose. For example, Rotational Policy.
Activate the platform. Click Edit to configure the new policy.
Go to Target Account Platform > Automatic Password Management > General. Change the platform’s PolicyType to RotationalGroup.
Go to Target Account Platform.
1. Right-click Automatic Password Management > Add additional Policy Settings.
2. Right-click Additional Policy Settings > Add Parameters.
3. Right-click Parameters > Add Parameter.
4. Add a custom property to the group, called GracePeriod.
Set the GracePeriod parameter and value:

The GracePeriod value is the number of minutes between the rotation of roles between the accounts (Active/Inactive) and the beginning of the password change process for the current Inactive Account.

This enforces a delay that ensures there is no discrepancies between the account being used by the application and the one having its password rotated, similar to the StartChangeNotBefore property used in single account management.

It is recommended that the GracePeriod value is set to be 3 times longer than the CacheRefreshInterval of the Credential Provider. The CacheRefreshInterval parameter is stored in the main configuration file in the vault.
Save the new platform.

Configure the object’s platform for dual account support

Configure the platform that will be used by the each of the Dual Accounts’ objects.

This step needs to be done for each platform used by Dual Account objects.

To configure the object's platform:

Go to Target Account Platform > UI & Workflow > Properties.

Right-click Optional, and add the following properties:
- Index
- DualAccountStatus
- VirtualUsername
  
  We recommend that you define a unique virtual user name for each pair.
Save the platform.

Configure accounts and groups for dual accounts support

This step is done for each account that is used as Dual Account.

To configure support for dual accounts:

Click Additional details & actions in classic interface.

Create the account object.

Both accounts must be created in the same Safe.

For each dual account, select Account Details > Edit to edit each of the dual account properties:

Property	Description
VirtualUsername	Logical representation of the account pair. This value must be the same on both accounts. We recommend that you define a unique virtual user name for each pair.
Index	Ascending from 1.
DualAccountStatus	On the account with Index value 1, set this value to Active. Set the other account to Inactive.

Property

Description

VirtualUsername

Logical representation of the account pair. This value must be the same on both accounts.

We recommend that you define a unique virtual user name for each pair.

Index

Ascending from 1.

DualAccountStatus

On the account with Index value 1, set this value to Active. Set the other account to Inactive.

On the CPM tab, click Create New or Modify to the account to a group:

Property	Description
Group	Enter a group name. This should be the same for both accounts.
Platform Name	Specify the Dual Account platform that you specified in the previous step.

Set the index of the group object

This step is done once on the group object.

To set index using the PrivateArk Client, edit the group object.

Under the Group folder of the Safe containing the Dual Accounts objects:

Right-click the Group object.
Select Properties > File Categories.
Add a file category called CurrInd with a value of 1. This indicates the index of the account that is set as Active.

Configure the password change interval for dual accounts

The following section describes how to set the interval for an automatic password change in the PVWA/Privilege Cloud portal.

In Dual Account configuration, a password is changed only after the Account Rotation process is completed and the GracePeriod has ended.

Therefore, to comply with your organizational password change policy, the following formula can be used to calculate the password’s expiration period (Require password change every X days) in the Rotational Group platform settings:

There is an organizational audit requirement that passwords will be changed every 30 days.
The Rotational Group has 2 members.
Set the expiration period of the Rotational Group to 15 days.

To set the interval for automatic password change in the PVWA/Privilege Cloud:

Go to Administration > Platform Management > Rotational Policy > Edit > Automatic Password Management > Password Change, and Change PerformPeriodicChange to Yes.
Go to Policies > Master Policy > Password Management > Require password change every X days. Select Add Exception. Select <platform you created earlier> > Next. Edit the value to the amount of days wanted.

Limitations

Account usages are not supported in automatic Dual Account configuration.

When initiating a manual password change on an account that is a member of a Rotational Group, the Synchronize the current account's password with the group's password option is not supported.

Selecting this option will cause the specific account’s password to be out of sync with the Credential Provider cache.