Before You Install

Review this topic before you install and deploy the Privileged Access Manager - Self-Hosted solution in your environment.

Planning

The following guidelines will help you plan your PAM - Self-Hosted solution environment.

Stage 1 – Architecture

Prepare an architectural design of your intended PAM - Self-Hosted implementation.

Include any or all of the following components:

Enterprise Password Vault

  • Vault

  • High Availability Vault

  • Disaster Recovery Vault

  • Remote Administration

  • High Availability Clustering

  • PrivateArk Administrative Client

  • Backup solution (CyberArk or other)

  • Disaster Recovery site

  • Password Vault Web Access

  • Central Policy Manager

Developer tools

  • REST API web services

  • PACLI

 Privileged Session Management

  • Privileged Session Manager

  • Privileged Session Manager SSH Proxy

Privileged Threat Analytics

  • PTA Server

  • PTA Disaster Recovery

  • PTA Windows Agents

  • PTA Network Sensor

On-Demand Privileges Management

Application Access Management

  • Credential Provider

  • Central Credential Provider

  • Application Server Credential Provider

When you prepare this architectural design, consider the following:

Consider

Details

Network topology

  • How many Vaults does your implementation require?

  • Where will they be positioned? In the internal network? In the external network? In the DMZ?

  • From where will the Vault(s) be managed?

  • From where will the Vault(s) be accessed?

High availability

  • How many passwords will you store in the Vault?

  • How frequently are your passwords accessed?

  • How essential is it to have 24/7 access?

Multiple CPMs/PSMs

Does your implementation require multiple CPMs/PSMs for

  • Distributed architecture

  • High Availability

Multiple PVWAs

Does your implementation require multiple PVWAs for

  • Distributed architecture

  • High Availability

  • Different authentication types

  • Access from different networks

Stage 2 – System Security Requirements

An important part of the planning process is understanding the security considerations for your system and how they should be addressed. To learn more, see Security Fundamentals.

Stage 3 – Authentication and User Management

When planning the authentication and user management methods, consider the following:

Consider

Details
Transparent user management

Does your organization support external directories? Which type?

For details, see Configure transparent user management using LDAP.
Authentication

Which authentication methods are supported?

For details, see Authenticate to Privileged Access Manager - Self-Hosted .

Stage 4 – Access to the Vault

Consider from where users access the Vault:

Consider

Details
Access location

  • Will the Vault be accessed from external or distributed locations?

  • Does an additional firewall rule need to be created from the machine where the interface will be installed to the Vault or DR Vault.
Interface

  • Which is the most appropriate interface for your needs?

  • What do you need to do? Different interfaces can be used for different tasks. For example, users can retrieve passwords in the PVWA, but they can only do administrative tasks in the PrivateArk Client.

For details, see Privileged Access Manager - Self-Hosted Architecture.

Stage 5 – Manage the Vault

Consider how users will manage the infrastructure and contents of the Vault:

Consider

Details
Infrastructure

  • How many people will manage Safes in the Vault?

  • How will the Safes be organized for most effective access control?

  • Who will do these tasks? Managerial or IT personnel?

User management

  • How many people will manage users in the Vault?

  • Which personnel will do each of the above tasks? Managerial or IT personnel?
Account management

  • How many people will manage the contents of the Vault?

  • How many users will be authorized to confirm access to Safes or passwords?

  • How many users will be able to access passwords?

For details, see Manage users.

Stage 6 – Log Vault Activity

Consider the following audit features:

Audit features

  • What sort of audit features do you require in the Vault? Daily or weekly?

  • For how long will audit reports be maintained?

  • Will you export the audit reports to an external third party application?

For details, see Log on to the Vault .

Prepare Your Environment

Before starting to install Enterprise Password Vault, make sure you have the following environment requirements.

Server resources

Make sure that you have the required number of dedicated servers and server resources. The following table displays the servers that are required to successfully install the PAM - Self-Hosted solution.

CyberArk Component Server Resource
Vault Dedicated server
Disaster Recovery Vault Dedicated server
Password Vault Web Access Any IIS server
Central Policy Manager Can be installed on the same machine as the PVWA and PSM or on a dedicated server
Privileged Session Manager Can be installed on the same machine as the PVWA and CPM or on a dedicated server

Privileged Session Manager for SSH

Dedicated server

Privileged Threat Analytics

Dedicated UNIX server in a virtual environment
CyberArk Replication Backup Any Windows Shared Server
CyberArk Remote Control Any Windows Shared Server
 

All of the above components except the Vault and the DR can be installed on the same Web Server

Access to the Vault Server

The person installing the PAM - Self-Hosted solution requires physical access to the Vault server and the Disaster Recovery Vault server.

Personnel

The required personnel that are required to implement the PAM - Self-Hosted solution and its components. The following list displays the main individuals that are required.

Project Manager
System Administrators
Vault Administrators
IT personnel and management

For successful implementation, these individuals must understand the goals of the Enterprise Password Vault implementation, and must undergo training in order to install and implement the Vault.

Installation Package

You will receive the PAM - Self-Hosted installation package from your CyberArk support representative. This package contains the following:

  • Installations for all the components
  • Two copies of the Master CD
  • Two copies of the Operator CD
  • License Agreement

Prepare the PAM - Self-Hosted Components

This section specifies the preparations that are required on the machines where the PAM - Self-Hosted solution components will be installed.

Component

Do the following

Firewall

If the Vault component will access the Vault through the enterprise firewall (e.g., from the DMZ), create a firewall rule that opens port 1858 from the machine where the component will be installed to the Vault or the DR Vault.

Digital Vault

  1. Install a clean operating system or image.

  2. Install the mandatory software, .NET Framework and C++ Redistributable, without any additional software. For more information, see Digital Vault Server.

  3. Verify the following:

    • The Vault machine has a static IP address.

    • There is enough disk space to replicate the Vault.

    • The Vault machine is in a secure physical location that can only be accessed by authorized people.

    • All the disks on all Vault Servers are using the same File System type.

  4. Remove all users and groups that are not required for installation.

  5. The Vault must be installed in a local Workgroup, and not as part of a Domain.

  6. The Vault machine must be in a secure physical location that can only be accessed by authorized people.

  7. If you intend to use a third-party hardware solution to access the Vault remotely such as KVM, ILO, etc., install them on the Vault and DR Vault machines before installing the Vault server.

  8. If the keys to the Vault will be stored externally on HSM, make sure that the HSM software is installed on the Vault machine and that the HSM and the Vault machine can communicate, before installing the Vault server.

  9. Configure the Windows Locale on the Vault Server if you want another language in addition to English.
CyberArk Digital Vault cluster Windows 2012 and Windows 2016

  1. Create a SAN connection between the cluster machines.

  2. Create an isolated network between the cluster machines, either a private network or a cross-over cable.

Password Vault Web Access

We recommend installing an SSL certificate to create an HTTPS connection to protect passwords while they are being transferred.

Central Policy Manager

  1. Ensure that the CPM is secure in the following aspects:

    • Physical location

    • Network access

    • Auditing and monitoring

    • Active services

  1. The CPM machine must not be accessible from the internet or any other unsecured network.

  2. Install a TCP connection for the CPM machine to connect to the Vault and remote machines where it will change passwords. For a full list of CPM ports, refer to Network Ports Overview.
Privileged Session Manager

  1. Make sure that there is enough disk space to store the Session Recordings until they are uploaded to the Vault. For specific requirements, refer to the Privileged Access Manager - Self-Hosted System Requirements document.

  2. Make sure that Microsoft Remote Desktop Services Session Host is installed and configured.

  3. If you intend to implement Remote Desktop Gateway, make sure that Microsoft Remote Desktop Services Session Host is installed and that Remote Desktop Gateway is configured.
Privileged Threat Analytics

Ensure that there are enough resources and disk space on your virtual environment to deploy the PTA Server image.
CyberArk Replication Backup

On the machine where the replication will be stored, make sure that there is enough disk space to replicate the entire Vault database.
CyberArk Remote Control

Verify that the machine is in a secure location that can only be accessed by authorized people.