Install a connector

This topic describes how to install a DPA connector.

The following DPA connectors are available:

  • AWS

  • Azure

  • Google Cloud

  • On-premises

Google Cloud and on-premises connectors require to be assigned to a connector pool. When creating the first connector, if you have not already done so, you are prompted to create a connector pool to which you can assign the connector.

Behind the scenes

Linux user for installation

When you install a connector client, a Linux user called cyberark-dpa-connector is created on the host machine. The cyberark-dpa-connector user has very limited permissions, and is validated whenever any further installation processes (such as re-installation) are performed on the connector host. If the cyberark-dpa-connector user being used to re-install the connector client software doesn't pass validation, then the connector installation process is aborted.

The cyberark-dpa-connector user is dedicated to the CyberArk DPA Connector client software, and shouldn't be used for any other activities on the connector host machine. If you modify the cyberark-dpa-connector user configuration, you must delete it from the host or provide a different host machine if you want to re-install the connector client.

Connector client files

The connector is installed in the following location on the host machine: /opt/cyberark/connector/

The connector log file (connector-setup.log) is written to the current directory where the connector client installation package is run.

Windows service and service account for installation

You can deploy a DPA connector on Unix and Windows machines.

When you install a connector client, a Windows service called CyberArk DPA Connector is created on the host machine. You can stop and start this service manually when required.

The CyberArk DPA Connector service runs under a Virtual Service Account called NT SERVICE\CyberArkDPAConnector. This account is created and managed by the Windows operating system, and its capabilities are restricted to the minimum needed by the CyberArk DPA Connector service, following the principle of least privilege.

Connector client files

The connector is installed in the following location on the host machine: %ProgramFiles%\CyberArk\DPAConnector.

The connector log files are written to %ProgramFiles%\CyberArk\DPAConnector\Logs\connector.log.

The maximum size for a single log file is 10 MB. When the current log file reaches this size, a timestamp is added to the file name and a new connector.log file is created. When the amount of log files reaches 10 (total 100MB), the oldest log file is deleted.

Before you begin

If you are using Privilege Cloud/PAM Self-Hosted 13.0 or later, you can install a DPA connector on the same machine where a Privilege Cloud connector/PSM is installed, provided the machine is in the domain.

Verify the following for the connector host machine:

  • It meets the minimum requirements described in System requirements.

  • It is running an operating system that's supported by the connector client as described in Network requirements.

    Follow your organization's standards and industry best practices for hardening these connector machines. For example, close any port or connection available to the connector machine, other than the ones required under Network requirements

  • It is configured to send metadata:

    • For information about the AWS Instance-Metadata-API, see the AWS docs.

    • For information about the Microsoft Azure Instance Metadata Service (IMDS), see the Microsoft docs.

Additionally, verify the following requirements:

Verify that you have already enabled access from your account or subscription to DPA.

The Linux script runs under root elevated privileges.

Verify that you have permissions to install the connector as an administrator.

Install a new DPA connector

To install the DPA connector:

  1. In the Connectors page, click Add a connector and select the platform where you will install the DPA connector.

  2. In the window that opens, choose the connector type (Linux or Windows).

    To support connecting to targets via RDP, make sure to install at least 2 DPA connectors on a Windows machine (for high availability) in the connector pool. The DPA connector can handle the provisioning only if it is installed on Windows.

  3. Follow the onscreen instructions for starting a connector host and installing the DPA connector.

     

    The connector script is only valid for 5 minutes after it is generated. If you don't run the script before it expires, you must refresh the script before you install the DPA connector.

After you install the DPA connector, you can see it in the Dynamic Privileged Access > Connectors page and review the details.

Additional installation activities

Connect an HTTP proxy server

If your network is configured with an HTTP proxy server, you can use it to connect to CyberArk and AWS endpoints.

To use an HTTP proxy server:

Replace the sudo bash; command from the connector installation script with the following command, before running the script:

sudo bash -s - -p http://{proxy_address}:{proxy_port};

TLS termination is not supported.

Connect an HTTP proxy server

If your network is configured with an HTTP proxy server, you can use it to connect to CyberArk and AWS endpoints.

To use an HTTP proxy server:

  1. In the connector machine, open powershell as administrator.

  2. Before running the connector script, add the following command to the beginning of the script:

    $env:CyberArkDPAConnectorProxy = 'http://{proxy_address}:{proxy_port}';

  3. Run the script.

TLS termination is not supported.

Re-install an existing connector in a Windows workspace

If you have to re-install a connector in your Windows workspace, you can opt to overwrite the existing connector client instead of deleting it and then removing the connector from DPA. This is enabled using an environment variable.

To re-install a connector on a Windows host:

  1. Open a PowerShell command window on the connector host machine.

  2. Type the following command to create an environment variable with the correct value.

      
    $env:CyberArkDPAConnectorOverwrite = "true"

Download connector files without installing the client

You can download the connector binary and configuration files without running the automatic installation process. This is enabled using an environment variable.

To download connector files without installing the client:

  1. Open a PowerShell command window on the connector host machine.

  2. Type the following command to create an environment variable with the correct value.

      
    $env:CyberArkDPAConnectorDownloadOnly = "true"

Update the proxy details after the connector is installed

To update the connector's HTTP proxy details:

  1. Go to the host machine where the connector is installed.

  2. Open the connector.config.json file (in the connector installation folder).

  3. Update the "proxy" parameter with the new proxy details. The value should be in the following format:

    http://{proxy_address}:{proxy_port}