Version 12.6

What’s new in this release?

The following features were introduced or enhanced in Privileged Access Manager - Self-Hosted version 12.6.

LTS

This version is designated as Long Term Support Customers who install this version will continue receiving security updates and critical bug fixes per our policy.

For more details, please review our End-of-Life policy.

Shared Technology Platform

Support Microsoft Windows 2019 for Privilege Access Management components deployed in the cloud

We are extending our current support which already exists for Privilege Access Management components deployed on premise to their counterpart images that are deployed in the cloud (AWS and Azure).

Telemetry tool enhancements offer increased visibility into password management

 A screenshot of a computer

Description automatically generated with medium confidence

New features and viewing options enable customers to gain better compliance visibility from CyberArk's Telemetry tool. Newly added password management policy-related attributes enable customers to analyze overall password security levels and gain actionable insights.

Newly added metrics include:

  • Platforms with periodic verify

  • Platforms with automatic reconcile

  • Platforms with periodic change

Vault

Continuous improvement of the compliance and security of the Vault

Windows Server 2019 Hardening revised to follow CIS standards

CIS guidelines are used by many organizations as security standards and best practices for defending IT systems.

Accordingly, Digital Vault hardening has been revised to align with Center for Internet Security (CIS) guidelines specifically designed for the standalone server of the Digital Vault.

The new hardening achieves over 90% compliance with the January 2022 CIS report and provides additional hardening guidelines that are not covered or not secured to the Vault standard by the CIS report.

PAKeygen to support 64bit pkcs11 library and HSM that requires PIN integration

Expanding the Vault's ability to integrate with a broader range of Hardware Security Modules (HSM), the PAKeyGen utility is upgraded to support the 64bit PKCS#11 library when generating server keys with HSM integration. Additionally, HSM vendors that utilize a Personal Identification Number (PIN) are also supported.

Password Vault Web Access

Simplified Safe Management user interface

Password Vault Web Access 12.2 introduced the new Safes view that aligns with the cleaner and more modern look and feel. In this version we expanded the new Safes interface to offer a wizard-led workflow that provides simplification and better visibility that will improve the process of managing safes.

The new Safes view in the PVWA replaces the classic interface and offers extended management capabilities to:

  • Create and edit Safes within a new flexible workflow supported by wizard-led steps

  • Easily assign members to Safes thanks to enhanced user filtering capabilities

  • Manage Safe members and permissions as part of the Safe creation and editing flow. Permissions are easier to manage thanks to predefined permission sets (Read only, Approver, Accounts manager, Full, Customized).

Change password - set the next password value

Customers may need to specify the next password that will be used by the CPM to update an account's credentials.

In such cases Vault administrators can, straight from the default PVWA UI, change the password in the Vault, which will be reconciled on the remote machine by the CPM during the next CPM process. Until now, this option was only available in the classic UI.

Certificate issuer validation to PKI/PKIPN Authentication

PKI enables the use of certificates for servers and users to identify each other and establish a secure connection. Certificates contain encryption values, or keys, that are used for encrypting and ensuring the integrity of messages sent between the two parties.

When a user logs on to the PVWA using the PKI/PKIPN authentication method, the user and the Server establish an SSL (Secure Socket Layer) connection. During the SSL handshake, the parties exchange certificates and check their validity. They also check that the other party’s certificate was issued by a trusted CA (Certification Authority).

In this version we enhanced the authentication to validate that the certificate being used by the end user was issued only by that specific issuer. This will enable administrators to configure which issuer is the valid issuer for the PKI/PKIPN authentication.

REST API

User Management and Account management are the key elements in the organization's onboarding automated processes.

This release includes several improvements in our REST API Web services specifically around these areas for easier automation and usage.

The following new APIs were added:

In addition, we enhanced the Get accounts REST API to filter the returned list according to a set of views. These Saved Filters enable the developer to display accounts according to predefined criteria based on account and operation status, such as Deleted, DisabledPasswordByCPM and ScheduledForReconcile. We now also return the DeletedTimestamp per each of the returned accounts that are deleted, with the time when the account was deleted.

Improved PVWA application logger

CyberArk introduced in V11.4 the new application logger of the PVWA that improved and simplified the troubleshooting process. In this version we will complete the migration and it will become the main logger of the PVWA that will replace two of the existing logs.

In addition, we are adding a new enhanced console log that will replace the old CyberArk.WebConsole.log console log.

These new logs will improve our logging capabilities by providing a clear log structure that enables faster troubleshooting and determines failures without the need to enable debug mode explicitly.

By the end of the year, we expect customers to complete their transition to the new application logger and therefore, the CyberArk.WebConsole.log, CyberArk.WebApplication.log and CyberArk.WebSession<sessionId>.log log files will be disabled by default on clean installations and upgrades of upcoming versions.

Central Policy Manager

AWS STS Connector

The Amazon Web Services Console is the main interface users leverage to make administrative changes to AWS services. This powerful tool is a prime target for abuse by attackers. It is critical that organizations secure AWS console access, ensuring that only appropriate users have access and only to the services required for their job function. The AWS recommended best practice for privileged console access is to restrict traffic to specific workstations, but this can be a challenge in large organizations.

We are happy to introduce a new Amazon Web Services (AWS) Console with STS for connecting via AWS STS that will replace our previous plugin and, based on the Web applications for PSM framework, is supported over Chrome and Internet Explorer.

This integration allows organizations to fully isolate and monitor AWS console sessions using Amazon Secure Token Service (STS), which provides temporary credentials.

To learn more, see AWS Cloud Services Management.

Privileged Session Manager

Taking access enforcement to the next level and improving the compliance control of the PSM path to the critical assets of the organization.

Network-based access control to ad hoc connections

With the changing of office perimeters and employees no longer being office-bound and on the go, it is essential to have better enforcement of their access to the organization's resources and to be able to apply compliance and access regulations globally.

In this version, customers can now apply subnet-based rules to control the access of end users to specific targets based on their location.

Rules may be created on an allowlist or denylist approach, depending on the organization's settings.

Dual Control timeframe enforcement on ongoing PSM sessions

Controlling the timeframe for end users' access to the organization's assets is important from an accountability and compliance perspective.

In this version, we've added the option to enforce the Dual Control request's timeframe that is associated with the session and trigger a session termination once that timeframe reaches its end.

PSM registration flexibility

When a new PSM instance is being registered to the Vault during the Registration stage of the installation, its IP address is being written in the PSM server connection data in the configuration options. In this release we have added the option to register PSM with its DNS name (FQDN), which provides flexibility in dynamically changing networks and makes it easier to secure the PSM connectivity with SSL certificates.

This option is toggled by a new parameter in the Registration stage configuration and is not available when installing PSM via the installation wizard.

Privileged Session Manager for SSH

Continuous improvement of the compliance and security offering of SSH based sessions

Enhanced auditing for file transfer sessions

We are increasing the compliance coverage of SFTP session recordings by adding audit capabilities and including user activities as well as file information in the monitoring page.

SSH tunneling in PSM for SSH integrated mode

PSM for SSH enables authorized users to initiate and use an SSH tunnel to access a target SSH server, while providing start/end tunnel session audit capabilities. Through this tunnel, users can launch GUI applications such as Web or SQL from their workstation, maintaining their existing workflow.

Using PSM for SSH, Security Managers can control access by determining which users can access different target systems. 

In this version, PSM for SSH’s Integrated Mode provides the flexibility to configure SSH tunneling for specific systems, according to the access and security needs of the organization.

Privileged Threat Analytics

Simplified installation and upgrade

With today's high frequency of security vulnerabilities in various platforms and applications, it is important to give customers full control and alignment over package versioning and updates without requiring a PTA patch.

Starting this version, PTA installation and upgrade processes will only include updates for the following third parties:

  • apache-activemq

  • apache-tomcat

  • mongodb

  • mongodb_exporter

  • monit

  • node_exporter

  • Prometheus

  • Pushgateway

  • Azul Zulu OpenJDK

This will enable customers to react fast in case of a published vulnerability related to the packages that are no longer part of the PTA installation process.

The rest of the packages that used to be part of PTA installation and upgrade will be considered as prerequisites and their installation will be verified by the PTA before starting the installation and upgrade process.

When PTA is deployed from the disk image, the installation will still include all third-party packages. However, following the initial deployment and moving forward, customers should manage any future updates and security patches of these third party packages.

Version 12.6 is the last version that supports PTA installation as an image from disk. Beginning with the next version, CyberArk will no longer provide PTA as an image from disk.

MongoDB version upgrade

The embedded MongoDB version used by PTA has been upgraded from version 3.6 to version 4.4.

Sensor connectivity indication on system health page

Improving on the visibility of PTA's health, in this version the system health page has been extended with information about the last time each sensor has last communicated with the PTA.

Cross-site request forgery (CSRF) Protection

The CSRF vulnerability is related to browser behavior. It uses existing session parameters to any request to same site, which enables an attacker to forge a modifying request and manipulate the user to trigger it.

With CSRF protection, each request holds a CSRF token that is unique to the current user session, which makes it impossible to forge a generic request.

In this version, we've added CSRF protection on the PTA classic UI.

Risky commands expansion to Google Cloud commands

The current default list of risky command has been extended to include commands that are relevant for Google Cloud.

Unmanaged Privileged Access (UPA) exclude list

Starting this version we are providing customers with the flexibility to exclude certain usernames which they find as irrelevant for the process of unmanaged privileged users detection.

Security Enhancements

TLS 1.2 Support

  • CPM

    CPM supports the use of TLS 1.2 for incoming connections to the CPM and outgoing connections to targets. It is a security best practice to disable TLS 1.0 and 1.1 to ensure the use of the higher level encryption protocol.

    Starting from this version, we will disable TLS 1.0 and 1.1 on the CPM server by default as part of CPM hardening. Customers who would like to use previous TLS versions can configure the system to allow these versions after the hardening phase is completed, or exclude this step from the hardening phase in advance. See Updates IIS SSL/TLS settings for more information.

  • PAM - Self-Hosted on cloud - Vault integration with Azure Key Vault

    Microsoft has announced the deprecation of TLS 1.0 and TLS 1.1 starting May 31, 2022 when integrating with the Azure Key Vault service.

    Since CyberArk Azure images integrate with Azure Key Vault to protect the server key, Cyberark Vault images have been accordingly updated to support TLS 1.2 for .NET Framework. 

  • PTA - TLS 1.2 enforcement during installation

    Following security best practices, starting this version new deployments of PTA will use TLS 1.2-based communication by default for incoming syslog ports.

    Customers can change this configuration either during the installation process or manually through the system properties file.

    This change is not applicable for existing deployments, although we strongly recommend that customers update manually and start using TLS 1.2 if they haven't done so by now.

PVWA internal components upgrade

Internal components were upgraded to enhance security and make technological improvements to the operating system and third-party components for the PVWA Server. The PVWA hardening process was updated accordingly.

Released PAM - Self-Hosted components

Component

Version

Internal Build Number

Vault

12.6

12.6.0.21

PVWA

12.6

12.6.0.40

CPM

12.6

12.6.0.4

PSM

12.6

12.6.0.14

PSM for SSH

12.6

12.6.0.26

PTA

12.6

 

Who should install this version

We recommend that all customers upgrade to the latest version.

Installation and upgrade notes

For complete installation instructions for all components, see Install PAM - Self-Hosted. For complete upgrade instructions, see Upgrade.

Vault

Before upgrading CyberArk Digital Vault to this version, you must migrate all existing operating systems to Windows Server 2016 or Windows Server 2019. For more information, see Migrate the Vault Operating System.

CPM

Important: Make sure to complete and follow all installation and hardening steps according to the documentation.

Important: This CPM version contains GPO changes. You must import the hardening file that is supplied with the installation package and follow the Hardening CPM servers in a domain or Hardening CPM servers in a domain after upgrade instructions.

Due to the changes described below, we recommend disabling the CyberArk Password Manager service until you complete the following instructions.

As part of the upgrade, the following local Windows users are created on the CPM machine, in addition to the PasswordManagerUser:

  • PluginManagerUser – All plugins will run using this user by default.

  • ScannerUser – Scanner service will run using this user.

For more information regarding the installation changes, see Creates Local Windows Service users and configures permissions.

Due to this change, all PMTerminal-based plugins must be migrated to Terminal Plugin Controller (TPC) to work properly. In addition, as some of the custom plugins might also be affected, CyberArk recommends testing them to verify they work properly with their new user.

  1. PMTerminal based plugins:

    1. Follow Scan and review existing platforms to identify platforms working with PMTerminal-based plugins. If no platform was identified, skip to section 2 below.

    2. If PMTerminal-based plugins are found, migrate all tested PMTerminal-based plugins and platforms to run using TPC by following Migrate platforms from PMTerminal to TPC.
      For automatic migration of the platforms, use the PMTerminal to TPC tool (see Option 2 - Migrate all platforms from PMTerminal to TPC automatically).

    3. If a plugin cannot be migrated to TPC, or if you need to perform the migration gradually, refer to section 2.d. below.

      Connecting to Mainframe devices using WC3270 is not supported by TPC.

    4. Go back to step 1.b. to complete the migration for all PMTerminal-based plugins to run using TPC.

  2. Custom plugins:

    1. Custom plugins may experience issues after the CPM version upgrade; therefore, we recommend that you test them after the upgrade or patch to verify they run properly.

    2. To test a plugin, trigger a password Change / Verify task. If the task succeeds, no further action is required.

    3. If the plugin fails to run, CyberArk strongly recommends modifying the plugin so it can run with the PluginManagerUser user.

    4. As a temporary mitigation only, until the plugin is modified to run with the PluginManagerUser user, update the respective user permissions of the plugin files to least privilege according to Change permissions of plugin-related files, and enable the RunPluginWithHighPrivilege flag on the specific platform (see Enable higher user privileges on a specific platformfor more details).

PTA

PTA as a Software

  1. The content of the PTA installation and upgrade packages has been changed and will only include updates to the following third-party packages:

    • apache-activemq

    • apache-tomcat

    • mongodb

    • mongodb_exporter

    • monit

    • node_exporter

    • Prometheus

    • Pushgateway

    • Azul Zulu OpenJDK

  2. The following packages that used to be part of PTA installation and upgrade will be considered as prerequisites and their installation will be verified by the PTA before starting the installation and upgrade process:

    • libcgroup

    • yum-utils

    • wget

    • tcpdump

    • iptables-services

    • ntp rsync

    • net-tools

    • dos2unix

    • lsof

    • unzip

    • bc

    • libstdc++

    • sysstat

    • bind-utils

    • cyrus-sasl

    • cyrus-sasl-gssapi

    • cyrus-sasl-plain

    • hostname

    • lua

    • net-snmp

    • tcsh

    • tmpwatch

    • perl

    • open-vm-tools

    • sshpass

  3. PTA installation wizard - An additional step will be added to notify the user about the changes in the installation for 12.6. The customer must acknowledge this step to proceed with the installation.

    Text

Description automatically generated

  4. On the PTA upgrade to 12.6, an additional step will be added to validate that prerequisite OS packages and third-party software exist in the server.

    Graphical user interface, application

Description automatically generated

  5. On manual installation, an additional step will be added to validate that prerequisite OS packages and third-party software exist in the server.

    A picture containing graphical user interface

Description automatically generated

TLS v1.2 enforcement

The PTA installation wizard will have an additional step enabling you to modify the default configuration for ports 512 and 11514 when selecting y:

Selecting n will skip this step and continue with the existing PTA installation wizard installation flow.

MongoDB version upgrade

MongoDB upgrade will be triggered from the PTA primary server upgrade and will perform the MongoDB upgrade in both the primary and secondary (DR) PTA servers.

An additional step will be added to the PTA primary upgrade to enter the root user password for the PTA secondary (DR) server.

Graphical user interface, text, application

Description automatically generated

PTA DR upgrade will not be affected and will be required as well.

UPA exclude list

A new property will be added to the Systemparm.properties file:

upa_excluded_account_list - A list of privileged account names that PTA will not alert UPA about, even if they are not stored in the Vault.

Bug fixes

Core PAM - Self-Hosted bug fixes

You can review the Core PAM - Self-Hosted bugs fixed in this release in our online community.

Note:  Links for versions prior to 12.0 no longer work. If you click the link, you will go to https://cyberark-customers.force.com/s/search-results, and then you must apply the appropriate filters.

Note:  To make your search easier, you can filter by product, component, status, and affected version. If you haven’t yet registered with the community, log in for self-registration using the relevant link:

Enhancement requests

The following enhancement requests were implemented in this release:

Enhancement Request ID

Component

Description

16696

Vault

Support SSL/TLS version enforcement in Vault hardening

4569
2565

Vault

CAVaultManager.exe CollectLogs to collect Archive logs folder

12222

PAKeyGen Utility

PAKeyGen utility to support 64bit PKCS DLL

20715

Vault

Vault images for Windows Server 2019 for Amazon AWS and Microsoft Azure

15889

PVWA

Clarify in the documentation regarding .NET support

23114

PVWA

On the Accounts Versions tab, Hide CPM temporary password versions doesn't refresh or display the other entries when the slider bar is triggered

17821

PVWA

Role base permission safe management

17421

PVWA

Add certificate issuer validation to PKI/PKIPN authentication

14574 PVWA REST API - List deleted accounts

14522

Connector

PSM-WebApp for AWS Console with STS (Chrome)

13205

PSM for SSH

Supports auditing in SFTP session for upload (put) and download (get) of files

14944

PSM

Terminate PSM session at end of request timeframe

13563

PSM

Automatic deletion of PSM old application log files from the PSM server was added as an optional configuration

Platform end of support

CyberArk may choose not to provide maintenance and support services for CyberArk’s Privileged Access Manager - Self-Hosted solution for platforms and systems that have reached their formal End-of-Life date, as published by their respective vendors.

Product

Version

Description

Vault, Replicate, Backup, Export Vault Data (EVD), PAKeyGen, Remote Control Client, PACLI, PVWA, CPM, PSM, PTA Agent

12.6

CyberArk will not support these components installed on Windows 2012 R2

PVWA

12.6

The following Web Services APIs will be deprecated as they already have improved replacements:

Get users details - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}

Add user - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users

Update user - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}

Delete user - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}

Activate user - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}

Add member to group - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Groups/{GroupName}/Users

Get Safe details - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}

Update Safe - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}

Update member - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}/Members/{MemberName}

Get Safe account groups - https://<IIS_Server_Ip>/PasswordVault/API/Safes/{SafeName}/AccountGroups

PVWA

12.6

Oracle SSO and RSA SecurID authentications will no longer be provided out of the box and will no longer be supported.

PVWA

12.6

CyberArk introduced in V12.2 the improved solution for our Business Users via CyberArk Identity service.
Business users can now log in seamlessly to web applications directly from the application login pages, leveraging the user-friendly capabilities of auto-capture and credentials form-fill when launching such applications from the CyberArk Identity service Browser Extension, User Portal, and Mobile App. Both solutions cannot be supported side-by-side. Therefore, the Business Users solution via the PVWA will no longer be available by default in all clean installs and upgrades. We encourage our customers to move to the Identity solution.

PVWA

12.6

Internet Explorer versions 8.0, 9.0 and 10.0 will no longer be supported with PVWA Classic interface.

Password Upload Utility

12.6

Today our customer can add accounts to the Password Vault using either web services or using the PVWA itself by Add an account in V10 Interface, Add multiple accounts from a file in V10 Interface, or via the Accounts Feed by using the CPM to scan an organizational network and retrieve a list of accounts and their dependencies.

Starting June 30, 2022, CyberArk ends the support for the Password Upload Utility, a tool that is based on an old technology and was used in the past to upload multiple accounts to the Password Vault.

PSM

12.6

CyberArk will no longer support ActiveX connections.

We strongly advise our customers who are using ActiveX to transition to our built-in connection methods.

PVWA

Next version

In our next version, CyberArk will remove the following old PVWA logs: 

  • CyberArk.WebApplication.log

  • CyberArk.WebSession<sessionId>.log.

In addition, the CyberArk.WebConsole.log logger will remain but will be disabled by default on clean installations and upgrades.

PVWA

Next version

We will remove the Resolve button from the Add Account, Edit Account, and Connect screens. The Resolve button resolves the remote machine’s domain automatically by populating the domain name in the Logon To field. This value must be specified manually.

PSMP

Next Version

CyberArk will no longer support Custom Mode.

We strongly recommend that customers use Integrated Mode instead, which is modern, reliable, and best practice.

New features will be developed for Integrated Mode only.

PSM for SSH

Next Version

CyberArk will no longer support Telnet-based connections.

As a security best practice, SSH connection is highly recommended.

System requirement changes

Review the following system requirement changes before installing or upgrading the components specified in Version 12.6.

Component

Description

Vault, Replicate, Backup, Export Vault Data (EVD), PAKeyGen, Remote Control Client, PACLI, PVWA, CPM, PSM, PTA Agent

CyberArk will not support installation on Windows 2012 R2

 

Vault

Starting this version, Visual Studio C++ Distribution installation executable requirement as a prerequisite of the Vault installation is no longer part of the Vault installation package.

The Vault installation validates that the C++ Distribution requirement is installed before allowing you to continue with the installation.

PVWA - ServiceNow Ticketing System

Integrating privileged accounts workflow with ServiceNow Incident Management and Change Management is now supported for Rome and San Diego versions.

ServiceNow is now available in the CyberArk Marketplace.

PVWA

Please note that Microsoft has announced that the Internet Explorer (IE) 11 desktop application will end support for certain operating systems starting June 15, 2022. Customers are encouraged to move to Microsoft Edge with IE mode or other browsers. Starting June 15, 2022, CyberArk will no longer support PVWA (all its versions) on IE 8.0, 9.0, 10.0 and 11.

PVWA Starting this version, we added RHEL 7.9, RHEL 8.2, and CentOS 7 to the list of target machines that can be scanned using the Accounts feed discovery.

PVWA

CyberArk will not support the PVWA on Windows 2012 R2.

CPM

CyberArk will not support the CPM on Windows 2012 R2.

PSM for SSH Support installation on RHEL 8.6.

PTA

PTA as a software -

The following third-party packages will be considered as prerequisites for the PTA installation and will be verified by the PTA before installation and upgrade:

  • libcgroup

  • yum-utils

  • wget

  • tcpdump

  • iptables-services

  • ntp rsync

  • net-tools

  • dos2unix

  • lsof

  • unzip

  • bc

  • libstdc++

  • sysstat

  • bind-utils

  • cyrus-sasl

  • cyrus-sasl-gssapi

  • cyrus-sasl-plain

  • hostname

  • lua

  • net-snmp

  • tcsh

  • tmpwatch

  • perl

  • open-vm-tools

  • sshpass

Behavior change notes

#

Component

Area

Description

1

Vault

CAVaultManager Utility

CollectLogs parameter in CAVaultManager now supports the collection of the Archive folder of logs located in /Server/Logs/Archive when specifying /Archive flag.

2

Vault

deployment on Azure

When deploying the Vault in Azure using CyberArk images, TLS 1.2 will be used to communicate with Azure Key Vault (AKV) and Azure Storage.

3

Vault

Logging

 Default logging of the Vault is now set to have archiving enabled.

The TraceArchiveMaxSize parameter is set to the default value of 5120 MB.

4

Vault

Logging

Italog.log is now set to be rolled to Archive.

The ItalogRetentionSize parameter is set to the default value of 150MB.

5

Vault

Hardening

The Vault hardening on Windows Server 2016 command has changed.

6

Vault

Hardening

Vault Hardening disables by default weak protocols (TLS 1.0, TLS 1.1, SSL 1.0, SSL 2.0, SSL 3.0) and cipher suites.

Customer who would like to use older versions can enable them after performing the Vault hardening.

7

PVWA

PVWA Logger

The following logs of the PVWA will be disabled by default on clean installations and upgrades: 

  • CyberArk.WebApplication.log

  • CyberArk.WebSession<sessionId>.log.

8

PVWA

Business Users

As previously announced, the Business Users solution in the PVWA will no longer be available starting this version. We encourage you to move to the Identity solution and gain enhanced capabilities. For all questions regarding Business Users deployment, please contact your customer success representative.

9

CPM

Hardening

Starting from this version, we will disable TLS 1.0 and 1.1 on the CPM server by default as part of CPM hardening. Customers who would like to use previous TLS versions can configure the system to allow these versions after the hardening phase is completed, or exclude this step from the hardening phase in advance. See Updates IIS SSL/TLS settings for more information.

10

CPM

Upgrade

As part of the upgrade, the following local Windows users are created on the CPM machine, in addition to the PasswordManagerUser:

PluginManagerUser – All plugins will run using this user by default.

ScannerUser – Scanner service will run using this user.

For more information regarding the installation changes, see Creates Local Windows Service users and configures permissions.

11

PSMP

SSH Keys, Smart Card or MFA caching in Integrated

 

Support for SSH-RSA was deprecated in OpenSSH v8.8

This will cause SSH key authentication to the target with the specific private key type matching ssh-rsa to fail.

To support this key type, add the specific algorithm back to the ssh configuration file.

For more information, see https://www.openssh.com/txt/release-8.8

To enable usage of this deprecated public key algorithm:

Add PubkeyAcceptedKeyTypes +ssh-rsa to your SSH configuration file, in the following locations:

  • /etc/ssh/ssh_config - to add to the global ssh configuration

  • /home/PSMShadowUser/.ssh/config - for PSMP connections only

    If the file does not exist - create it using the following commands:

    1. touch /home/PSMShadowUser/.ssh/config (if the config file does not exist)

    2. chmod 770 /home/PSMShadowUser/.ssh/config

    3. chown PSMShadowUser:PSMShadowUsers /home/PSMShadowUser/.ssh/config

12

PSM

Applocker DLL policy

Applocker hardening now uses the allowlist model by default to create DLL file rules, meaning that all DLLs are blocked by default from execution by PSM-related users except those that are listed in the Applocker configuration or those that are automatically detected as being required by allowed applications, such as PSM connection clients.

13 PTA Installation Version 12.6 is the last version that supports PTA installation as an image from disk. Beginning with the next version, CyberArk will no longer provide PTA as an image from disk.
14 PVWA API support

In this version, the legacy 1st generation version of the following APIs are no longer supportedVersion 12.6 The replacing 2nd generation APIs remain under support.

https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}

replaced with

https://<IIS_Server_Ip>/PasswordVault/API/Users/{UserID}

https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users

replaced with

https://<IIS_Server_Ip>/PasswordVault/API/Users

https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}

replaced with

https://<IIS_Server_Ip>/PasswordVault/API/Users/{userID}/

https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}

replaced with

https://<IIS_Server_Ip>/PasswordVault/API/Users/{UserID}/

https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName}

replaced with

https://<IIS_Server_Ip>/PasswordVault/API/Users/{UserID}/Activate

https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Groups/{GroupName}/Users

replaced with

https://<IIS_Server_Ip>/PasswordVault/API/UserGroups/{id}/Members

https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}

replaced with

https://<IIS_Server_Ip>/PasswordVault/API/Safes/{SafeUrlId}/

https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}

replaced with

https://<IIS_Server_Ip>/PasswordVault/API/Safes/{SafeUrlId}/

https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}/Members/{MemberName}

replaced with

https://<IIS_Server_Ip>/PasswordVault/API/Safes/{SafeUrlId}/Members/{MemberName}/

See REST APIs for APIs supported in this version.

Known issues

For all known issues and limitations, see Known Issues.