Configure PTA
Following is a table which lists the individual steps in the PTA installation wizard.
The full procedure is directly below. See Install PTA using the Wizard.
| 1. | On the system console, log in as the root user using the following password: DiamondAdmin123! |
| 2. | Navigate to the prepwiz folder using the PREPWIZDIR command. |
| 3. | At the command line, run the following command: |
./run.sh
The installation wizard begins. Default values are displayed in brackets.
|
If you receive an error in any step, click Ctrl+C to exit the installation wizard, and run the wizard again. When the wizard starts, you can select to resume the wizard from the step where the error occurred. |
| 4. | To accept the default value, press Enter. |
[Step 1/18 - End User License Agreement]
Please read CyberArk's Privileged Threat Analytics End User License Agreement, which determines the terms of use of this software and all of its components.
CyberArk's Privileged Threat Analytics may include certain third party components, which are listed in the About window in the Privileged Threat Analytics dashboard.
To install CyberArk's Privileged Threat Analytics, you must accept the End User License Agreement which you can view at /opt/pta/utility/EULA.
Do you accept all terms of this agreement (y/n)? y
End User License Agreement accepted successfully.
| 1. | Enter y to accept the terms of the agreement and proceed to the next step of the wizard. |
| 2. | Or, enter n to exit the wizard. |
[Step 2/18 – Change PTA root user password]
Specify a new password for the root user.
The password must contain:
Minimum of 8 characters
1 capital letter
1 small letter
1 digit
1 special character
Enter the current password for the root user:
| 1. | Enter the current password for the root user. The following appears: |
Specify a new password for this user:
| 2. | Enter the new root user password, according to the requirements. The following appears: |
Retype the new password:
| 3. | Re-enter the new root user password. The following appears: |
Root user password changed successfully.
[Step 3/18 – Network configuration]
| 1. | If there is an existing IP address for the PTA Server, the following lines appear: |
Found existing IP address:
Would you like to change the IP Address (y/n)?
| 2. | If you entered y to change the IP address, or if there is no existing IP address for the PTA Server, the following lines appear: |
| a. | If there is only one available network interface: |
Network interface <interface_id> was found and will be used for the PTA server.
Specify the network configuration:
‘dhcp’ – To obtain an IP and DNS server address automatically
‘static’ – To set an IP address manually [dhcp]:
| b. | If there are multiple available network interfaces: |
There is more than one available network interface, select the appropriate network interface [<interface_id>,<interface_id>,...]:
| c. | Enter the desired network interface. The following lines appear: |
Specify the network configuration:
‘dhcp’ – To obtain an IP and DNS server address automatically
‘static’ – To set an IP address manually [dhcp]:
| 3. | To detect an IP and DNS server address automatically (dhcp): |
| a. | At the network configuration prompt, enter dhcp. This is the default value. |
The IP and DNS server are detected and configured automatically and the following lines appear.
The IP and DNS are configured automatically.
IP configuration finished successfully
DNS configuration
Found existing DNS server 1.1.1.1
Testing configuration … ping – to perform verification of DNS
Configuration test was completed successfully
After the first DNS server is configured successfully, the following prompt appears, enabling you to specify an additional DNS server.
Would you like to specify an additional DNS server (y/n)? [n]:
| b. | Enter y to specify an additional DNS server. |
| c. | Or, enter n to continue directly to [Step 4/18 Domain names mapping configuration]. |
| 4. | To set an IP address manually (static): |
| a. | At the network configuration prompt, enter static, then press Enter. The IP address prompt appears. |
Specify an IP address:
| b. | Enter the IP address to set, then press Enter. The Netmask prompt appears. |
Netmask [255.255.255.0]:
| c. | Enter the netmask to configure, then press Enter. The Gateway prompt appears. |
Gateway:
| d. | Enter a gateway that will be used as the default gateway, then press Enter. The process verifies the Gateway and displays a confirmation. |
Testing configuration … ping – to perform verification of Gateway
Configuration test was completed successfully
| e. | The static IP address is now configured and the confirmation appears. |
IP configuration finished successfully
At this point, the following prompt appears to specify the IP address of a DNS server.
DNS configuration
Specify full domain name (e.g. "domain.com"):
There were no existing DNS servers found
Specify a DNS server address:
| f. | Enter the IP address of a DNS server. |
The process verifies the DNS server and displays the following:
Testing configuration… ping - to perform verification of DNS
Configuration test was completed successfully
At this point, a prompt appears, enabling you to specify an additional DNS server.
Would you like to specify an additional DNS server (y/n)? [n]:
| g. | Enter y to specify an additional DNS server. |
| h. | Or, enter n to continue directly to [Step 4/18 Domain names mapping configuration]. |
| i. | If you entered y, a prompt appears requesting you to specify the IP address of the additional DNS server. |
Specify a DNS server address:
| j. | Enter the IP address of the DNS server, then press Enter. |
The process verifies the DNS server and displays the following:
Testing configuration… ping - to perform verification of DNS
Configuration test was completed successfully
| k. | Specify additional DNS servers as needed. When you have completed specifying any additional DNS servers, press n when prompted. |
[Step 4/18 Domain names mapping configuration]
PTA requires a list of each domain name with its corresponding NETBIOS (pre-Windows 2000) name to better identify each domain name in the data.
You must perform this step for each domain in each Active Directory that is monitored by PTA.
For more information specify ‘help’.
Would you like to specify domain names mapping configuration (y/n)? [y]:
| 1. | Enter y to begin configuration. |
| 2. | Or, enter n to skip to [Step 5/18 – Date and TimeZone configuration]. |
The following message appears:
Fully Qualified Domain Name (FQDN), for example, domain.com:
NETBIOS (pre-Windows 2000) name, for example, DOMAIN_PROD:
| 3. | Enter the Fully Qualified Domain Name and NETBIOS name, and then press Enter. After the mapping is saved successfully, the following is displayed: |
Configure another domain name with its corresponding NETBIOS name (y/n):
| 4. | Enter y to configure another domain name mapping, or n to continue directly to the next step. |
| 1. | At the following prompt, specify your time zone. For a list of available time zones, see PTA Server Time Zones. |
[Step 5/18 – Date and TimeZone configuration]
Specify your time zone (example: America/Chicago). For a full time zone list, specify ‘help’.
Time zone:
| 2. | Enter the time zone, then press Enter. The date and time prompt appears. |
Specify current date and time in 24h format “MM/DD/YYYY hh:mm” (example: 11/21/2013 16:20):
| 3. | Enter the current date and time using the format included in the prompt, then press Enter. The following prompt appears, enabling you to synchronize the time zone you are setting, with your NTP server. |
Do you want to synchronize with NTP server (y/n)? [n]
| 4. | Enter y to synchronize the time zone configuration with the NTP server. |
| 5. | Or, enter n to skip to [Step 6/18 – Database initialization] and finish the time zone configuration without synchronizing with the NTP server. |
| 6. | If you specified y, the NTP server IP prompt appears: |
Specify the NTP server IP:
| 7. | Enter the IP address of the NTP server, then press Enter. |
The date and time zone are now configured and the following confirmation is displayed, and the installation proceeds to the next step.
Date and time zone configuration finished successfully
The wizard automatically initializes the database that will be used for the Privileged Threat Analytics solution.
[Step 6/18 – Database initialization]
Starting database
Database initialization finished successfully.
After this step has finished successfully, the installation proceeds to the next step.
This connectivity authorizes the Vault as a source host. It enables forwarding data from the Vault to PTA, retrieving reports from the Vault, and configuring Golden Ticket detection.
PTA connects to PVWA in trusted mode. You must install the PVWA public certificate before running this step. For details, see Import your Organization's SSL Certificate.
|
[Step 8/18 – PAS connection configuration]
This step is optional. Would you like to configure it (y/n)?:
Establish connectivity between PTA and the Vault to authorize the Vault as a source host. This is a prerequisite for:
Forwarding data from the Vault
Retrieving Vault reports
Configuring Golden Ticket detection
| 1. | Enter y to integrate PTA with the Vault. |
| 2. | Or, enter n to install PTA without a Vault connection and continue directly to [Step 12/18 Authorized source hosts configuration]. |
| 3. | If you entered y, specify the Vault server's IP address and port number, then press Enter. |
Specify the Vault server's IP address and port number.
IP:
Port [1858]:
| 4. | The Disaster Recovery Vault prompt appears, where you specify the relevant DR Vault IP/s. |
Would you like to configure Vault DR (y/n)?
Specify the Vault DR IP address. If there are multiple DR servers, list all the IPs separated by a comma.
IP/s:
| 5. | Enter y to configure the DR Vault, making sure to use a comma if there are multiple DR Vault servers, then press Enter. |
| 6. | Or, enter n to continue. |
| 7. | The cluster or distributed Vault configuration prompt appears, where you specify the physical IPs of all the Vaults. |
Is your vault installed in a cluster or distributed environment? (y/n)?
| 8. | If you entered y, specify the physical IP's of all Vaults, then press Enter. |
Specify the physical IP's of all Vaults (Active node, Passive node, Master, Satellite), separated by commas (example: 192.168.2.30,192.168.60.70):
|
You must enter all physical IPs configured on all the network cards. |
| 9. | Specify the Username and Password of the Vault user who will create the PTA environment in the Vault. This user must have administrator permissions. |
Specify Vault Admin credentials using CyberArk authentication.
This user must have administrator permissions, and it will be used to update the environment required for the PTA in the Vault server.
Vault Admin username [Administrator]:
Vault Admin password:
Retype Vault Admin password:
Creating PTA Vault user.
PTA Vault user created successfully.
Creating PTAApp Vault user.
PTAApp Vault user created successfully.
The PTA environment is now created in the Vault. During this process, the PTA Vault users were created to manage PTA activity in the Vault.
|
| 10. | Specify the time zone configured in the Vault. |
Specify your vault time zone (example: America/Chicago). For a full time zone list, specify 'help'.
Time zone [America/Chicago]:
After this is completed successfully, a confirmation message is displayed, and the installation proceeds to the next step.
Vault configuration finished successfully.
| 11. | Establish connectivity between PTA and the PVWA. |
Establish connectivity between PTA and the PVWA. Would you like to configure this (y/n)?
| 12. | Enter y to establish connectivity. |
| 13. | Or, enter n to continue to the next step. |
| 14. | If you entered y, the following message appears: |
By default, the PTA connection with PVWA is verified and trusted, using a pre-configured PVWA certificate chain installed in PTA.
Note: If you have not installed the PVWA certificate chain in PTA, click ctrl+C to exit the PTA installation wizard, run /opt/tomcat/utility/sslClientCertificateChainInstallationUtil.sh to install the certificate chain in PTA, and run the PTA installation wizard again.
Would you like to keep the trusted connection between PTA and PVWA (y/n)? [y]: y
| 15. | Specify the PVWA host name, whether Https is enabled, the PVWA port, and the PVWA application root context. |
Enter PVWA address (example: pvwa.domain.com):
Https enabled (y/n)? [y]: n
PVWA port [80]:
PVWA application root context [PasswordVault]:
| 16. | The connection is checked. |
Testing PVWA connection...
Connection completed successfully.
If you configured the connection to the Vault, you are prompted to configure the Vault activities report.
[Step 9/18 - Loading user and safe activities report]
This step is optional. Would you like to configure it (y/n)?:
| 1. | Enter y to load the user and Safe activities report. |
| 2. | Or, enter n to continue directly to [Step 11/18 - Loading inventory report]. |
| 3. | If you entered y, specify the number of previous days to be included when creating the report. |
Specify the number of previous days that will be included in the user and safe activities report.
Number of days [180]:
The following activity message is displayed:
Generating the user and safe activities report...
Loading the user and safe activities report...
After the activity report was created and loaded successfully, a confirmation is displayed and the installation proceeds to the next step.
User and safe activities report loading was completed successfully.
If you configured the Vault activities report, you are prompted to create baselines for the Privileged Threat Analytics algorithms.
Step 10/18 – Baselines creation
This step is optional. Would you like to configure it (y/n)?:
| 1. | Enter y to create baselines. |
| 2. | Or, enter n to continue directly to [Step 11/18 - Loading inventory report]. |
| 3. | If you entered y, the baselines creation begins: |
Creating baseline for ‘Privileged access during irregular hours’ algorithm...
Baseline created successfully
Creating baseline for ‘Excessive access to privileged accounts’ algorithm...
Baseline created successfully
Creating baseline for 'Accessing the Vault from irregular IP' algorithm...
Baseline created successfully
After the baselines were created successfully, the following confirmation is displayed, and the installation proceeds to the next step.
Baselines creation finished successfully.
If you configured the connection to the Vault, you are prompted to load the Vault inventory report.
[Step 11/18 - Loading inventory report]
This step is optional. Would you like to configure it (y/n)?:
| 1. | Enter y to load the inventory report. |
| 2. | Or, enter n to continue directly to [Step 12/18 Authorized source hosts configuration]. |
| 3. | If you entered y, an inventory report is generated and prepares to load. |
Generating the inventory report...
Loading the inventory report...
After the information was gathered successfully, a confirmation is displayed and the installation proceeds to the next step.
Inventory report loading was completed successfully.
PTA must be configured to receive messages from authorized sources only.
[Step 12/18 Authorized source hosts configuration]
Specify the source host IPs that are authorized to forward messages to PTA, separated by a comma (for example: 11.22.33.44,11.22.33.55).
To allow all hosts types to forward messages to PTA, specify 'All'.
To prevent any host type from forwarding messages to PTA, specify 'None'.
PTA should only be permitted to receive messages from authorized sources such as organizational SIEM solutions and any other server that sends messages directly to PTA.
If the Vault connection was configured, the Vault is automatically considered to be an authorized source host (no need to specify it in this step).
Authorized machines:
|
Before you configure PTA Network Sensors, you must have already installed and configured the Network Sensor. See PTA Network Sensors. |
[Step 13/18 – Network sensor and PTA agent connection configuration]
This step is optional. Would you like to configure it (y/n)?:
| 1. | Enter y to configure a PTA Network Sensor connection, a PTA Windows Agent connection, or both. |
| 2. | Or, enter n to install PTA without a PTA Network Sensor connection or a PTA Windows Agent connection, and continue directly to [Step 15/18 – Email notifications configuration]. |
| 3. | If you entered y, the following appears. |
The PTA Server can be configured to collect network traffic with agents installed on your DCs or with Network Sensor machines, or with both.
Will your implementation include PTA agents? (y/n)
| 4. | Enter y to configure the PTA Windows Agent connection. The following appears. |
The Server configuration for PTA agents was configured successfully. After completing the PTA Server installation, you must install the PTA agents.
| 5. | The following appears. |
Will your implementation include PTA network Sensor machines? (y/n)
| 6. | Enter y to configure the connection to the PTA Network Sensors. |
The PTA Server must be configured with each PTA Network Sensor that was installed. The following appears.
Configure the connection to the PTA Network Sensors:
The PTA Server must be configured with each PTA Network Sensor that was installed.
Press [y] to configure a PTA Network Sensor. Press [n] to skip this step:
| 7. | Enter y to configure a PTA Network Sensor connection. |
| 8. | Or, enter n to continue directly to [Step 14/18 – Golden Ticket detection configuration]. |
| 9. | If you entered y, you are prompted to specify the IP of each machine on which each PTA Network Sensor was installed. |
IP:
| 10. | Press Enter; the following message is displayed. |
The PTA Network Sensor was configured successfully.
Press [y] to configure a PTA Network Sensor. Press [n] to skip this step [y]:
| 11. | If you have more than one Network Sensor, press y to continue specifying the IP of each machine on which each PTA Network Sensor was installed. |
| 12. | When you have completed specifying the PTA Network Sensors, press n. |
If you configured the PTA Network Sensor connection or the PTA Windows Agent connection, the Golden Ticket detection prompt appears.
|
Before you configure Golden Ticket detection, you must have already added privileges to the Domain User and added the Domain User as an Account. For details, see Configure PTA for Golden Ticket Detection. |
[Step 14/18 – Golden Ticket detection configuration]
This step is optional. Would you like to configure it (y/n)?
| 1. | Enter y to configure Golden Ticket detection. |
| 2. | Or, enter n to continue directly to [Step 15/18 – Email notifications configuration]. |
| 3. | If you entered y, specify the Username and Password of the Vault user who will configure the Golden Ticket detection. This user must have administrator permissions. |
|
Specify Vault username and password.
This user must have administrator permissions, and it will be used to update the environment required for the PTA in the Vault server.
Username [Administrator]:
Password:
Retype password:
Creating PTA App Vault User.
PTA App Vault User created successfully.
| 4. | Define the domain name to monitor for the Golden Ticket detection, and one of its’ Domain Controller IPs. |
PTA can monitor either a domain and its sub-domains, or a single domain.
Specify the domain name to monitor:
Domain name:
Would you like to monitor the domain and its sub-domains? (y/n)?
After specifying the domain name to monitor, specify whether to also monitor the sub-domains.
| 5. | Enter y to monitor the domain name and its sub-domains. |
| 6. | Or, enter n to monitor only the specified domain name. |
| 7. | If you entered y, you must specify the relevant Enterprise Admin account path and its domain name. |
Specify the relevant Enterprise Admin account path (Safe name, Folder path, File name) and its' domain name.
Or, specify a path to an account which has Replicate permissions in the monitored domain and its sub-domains.
The Enterprise Admin account will only be used for the monitored domains.
Safe name:
Folder path:[Root]
File name:
Account Domain name:
| 8. | If you entered n, you must specify one of the Domain Controllers IP’s and its relevant Domain Admin account. |
To do this, in the Active Directory define a user with the following privileges:
| ■ | Replicating Directory Changes |
| ■ | Replicating Directory Changes All |
| ■ | Replicating Directory Changes In Filtered Set |
Specify one of the Domain Controllers IP’s and relevant Domain Admin account path (Safe name, Folder path, File name).
Or, specify a path for an account with Replicate permissions required for this domain.
Domain Controller IP:
Safe name:
Folder path:[Root]
File name:
After configuring the domain to monitor and one of its’ Domain Controller IPs, one of the following messages is displayed:
| ■ | If the safe was already configured with this user, the following message is displayed: |
PTA App Vault user ownership on the mentioned safe was already defined.
| ■ | If the safe was not already configured with a user, you are requested to specify a Vault user who has owner permissions on the mentioned safe. |
Specify Vault username and password.
This user must have owner permissions on the mentioned safe. This user will be used to manage the PTA App Vault user ownership on the safe.
Username:
Password:
Retype password:
PTA App Vault user successfully received permission to the safe.
| 9. | Enter the username and password of the Vault user who has owner permissions on the mentioned safe. |
After completing this step, you will be asked if you want to specify an additional domain.
Would you like to monitor an additional domain (y/n)? [n]:
| 10. | Enter y to specify an additional domain to monitor. |
| 11. | Or, enter n to continue directly to the next step. |
| 12. | If you entered y, you must go back to the step, Define the domain name to monitor for the Golden Ticket detection, and one of its’ Domain Controller IPs. |
| 13. | Repeat for each domain that you need to monitor. |
After completing this step, the following confirmation is displayed, and the installation proceeds to the next step.
Golden ticket detection configuration finished successfully.
[Step 15/18 – Email notifications configuration]
This step is optional. Would you like to configure it (y/n)? [y]:
| 1. | Enter y to configure email notifications, then press Enter. These notifications will be sent when the Privileged Threat Analytics solution detects anomalies. |
| 2. | Or, enter n to continue directly to [Step 16/18 – PTA maintenance user configuration]. |
| 3. | If you entered y, the secure integration method prompt appears. |
We recommend that you configure email integration in a secure method, which requires the exchange certificate to be installed in PTA prior to running this step.
SMTP/S protocol (starttls/ssl/none)? [starttls]:
| 4. | Enter the SMTP/S protocol, then press Enter. The following prompt appears. |
Specify the email server IP address:
| 5. | Enter the email server IP address, then press Enter. The following prompt appears. |
Specify SMTP port [25]:
| 6. | Enter the port of the SMTP server, then press Enter. The following prompt appears. |
Specify the sender’s email address (in the following format: user@domain.com):
| 7. | Specify the email address, in lowercase characters, of the user whose name will be included as the sender in notifications, then press Enter. The following prompt appears. |
Specify the recipient’s email address (in the following format: user@domain.com). Separate multiple addresses with ‘;’ (semi-colon):
| 8. | Specify the email address(es), in lowercase characters, of the notification recipient(s), then press Enter. Separate multiple recipient addresses with a semi-colon. The mail server authentication prompt appears. |
Does the mail server require authentication (y/n)? [y]:
| 9. | Enter n if the mail server does not require authentication and proceed to [Step 16/18 – PTA maintenance user configuration]. |
| 10. | Or, enter y if the mail server requires authentication, then press Enter. |
The sender’s credentials prompts appear.
Setting the sender’s credentials
Enter username and password for the user that will send email notifications.
Username:
Password:
Retype password:
| 11. | Enter the user name and password of the user in the email system who will send notifications, then press Enter. After the sender’s credentials are saved successfully, the following confirmation is displayed. |
Email configuration verification completed successfully. Test email sent to configured attendees.
Was the test email received (y/n)? [y]:
| 12. | After the test email is received, enter y. The following confirmation is displayed, and the installation proceeds to the next step. |
Email notifications configuration finished successfully.
| 1. | Enter the password of the PTA maintenance user, ptauser, then press Enter. |
[Step 16/18 – PTA maintenance user configuration]
Creating a user for system maintenance.
Specify a password for this user:
Retype password:
After installation, you can use this user to perform maintenance activities on the PTA machine.
| 2. | After this user has been created and its user credentials are saved successfully, the following confirmation is displayed, and the installation proceeds to the next step. |
PTA maintenance user was created successfully.
| 1. | Enter y to begin initialization. |
Starting PTA
PTA initialization finished successfully.
After successful initialization, confirmation of successful initialization is displayed, and the installation is complete.
