Before You Install
Review this topic before you install and deploy the Privileged Access Manager - Self-Hosted solution in your environment.
Planning
The following guidelines will help you plan your PAM - Self-Hosted solution environment.
Stage 1 – Architecture
Prepare an architectural design of your intended PAM - Self-Hosted implementation.
Include any or all of the following components:
Enterprise Password Vault
Developer tools
|
Privileged Session Management
Privileged Threat Analytics
On-Demand Privileges Management Application Access Management
|
When you prepare this architectural design, consider the following:
Consider |
Details |
---|---|
Network topology |
|
High availability |
|
Multiple CPMs/PSMs |
Does your implementation require multiple CPMs/PSMs for
|
Multiple PVWAs |
Does your implementation require multiple PVWAs for
|
Stage 2 – System Security Requirements
An important part of the planning process is understanding the security considerations for your system and how they should be addressed. To learn more, see Security Fundamentals.
Stage 3 – Authentication and User Management
When planning the authentication and user management methods, consider the following:
Consider |
Details |
---|---|
Transparent user management |
Does your organization support external directories? Which type? For details, see Configure transparent user management using LDAP. |
Authentication |
Which authentication methods are supported? For details, see Authenticate to Privileged Access Manager - Self-Hosted . |
Stage 4 – Access to the Vault
Consider from where users access the Vault:
Consider |
Details |
---|---|
Access location |
|
Interface |
For details, see Privileged Access Manager - Self-Hosted Architecture. |
Stage 5 – Manage the Vault
Consider how users will manage the infrastructure and contents of the Vault:
Consider |
Details |
---|---|
Infrastructure |
|
User management |
|
Account management |
|
For details, see
Stage 6 – Log Vault Activity
Consider the following audit features:
Audit features
-
What sort of audit features do you require in the Vault? Daily or weekly?
-
For how long will audit reports be maintained?
-
Will you export the audit reports to an external third party application?
For details, see Log on to the Vault .
Prepare Your Environment
Before starting to install Enterprise Password Vault, make sure you have the following environment requirements.
Server resources
Make sure that you have the required number of dedicated servers and server resources. The following table displays the servers that are required to successfully install the PAM - Self-Hosted solution.
CyberArk Component | Server Resource |
---|---|
Vault | Dedicated server |
Disaster Recovery Vault | Dedicated server |
Password Vault Web Access | Any IIS server |
Central Policy Manager | Can be installed on the same machine as the PVWA and PSM or on a dedicated server |
Privileged Session Manager | Can be installed on the same machine as the PVWA and CPM or on a dedicated server |
Privileged Session Manager for SSH |
Dedicated server |
Privileged Threat Analytics |
Dedicated UNIX server in a virtual environment |
CyberArk Replication Backup | Any Windows Shared Server |
CyberArk Remote Control | Any Windows Shared Server |
All of the above components except the Vault and the DR can be installed on the same Web Server |
Access to the Vault Server
The person installing the PAM - Self-Hosted solution requires physical access to the Vault server and the Disaster Recovery Vault server.
Personnel
The required personnel that are required to implement the PAM - Self-Hosted solution and its components. The following list displays the main individuals that are required.
■ | Project Manager |
■ | System Administrators |
■ | Vault Administrators |
■ | IT personnel and management |
For successful implementation, these individuals must understand the goals of the Enterprise Password Vault implementation, and must undergo training in order to install and implement the Vault.
Installation Package
You will receive the PAM - Self-Hosted installation package from your CyberArk support representative. This package contains the following:
- Installations for all the components
- Two copies of the Master CD
- Two copies of the Operator CD
- License Agreement
Prepare the PAM - Self-Hosted Components
This section specifies the preparations that are required on the machines where the PAM - Self-Hosted solution components will be installed.
Component |
Do the following |
---|---|
Firewall |
If the Vault component will access the Vault through the enterprise firewall (e.g., from the DMZ), create a firewall rule that opens port 1858 from the machine where the component will be installed to the Vault or the DR Vault. |
Digital Vault |
|
CyberArk Digital Vault cluster Windows 2012 and Windows 2016 |
|
Password Vault Web Access |
We recommend installing an SSL certificate to create an HTTPS connection to protect passwords while they are being transferred. |
Central Policy Manager |
|
Privileged Session Manager |
|
Privileged Threat Analytics |
Ensure that there are enough resources and disk space on your virtual environment to deploy the PTA Server image. |
CyberArk Replication Backup |
On the machine where the replication will be stored, make sure that there is enough disk space to replicate the entire Vault database. |
CyberArk Remote Control |
Verify that the machine is in a secure location that can only be accessed by authorized people. |