Remote Administration enables administrators to manage Vault components from a remote computer, without having to physically approach the machine where the component is installed. This feature is installed and configured automatically during the Vault server installation.
This section introduces you to remote administration, so that you can configure it manually after installation, according to your enterprise needs.
The CyberArk Vault Remote Control feature enables users to carry out several operations on Vault components from a remote terminal. It comprises two elements – the Remote Control Agent and the Remote Control Client. The Agent is installed as part of the Vault component, on the Server and the Disaster Recovery Server.
Users can also receive information and retrieve log details from the component machine. In addition, users can view the CPU usage and free disk space, as well as setting, retrieving and deleting certain parameters in configuration files of the component.
The Remote Control Agent
The Remote Control Agent is installed in the Server installation folder on the Vault machine and is automatically configured to recognize the Client. The Remote Control Agent configuration file, PARAgent.ini, contains the remote control parameters which determine the remote location from where the Vault server can be accessed. For details, see Remote Control Agent Parameter File.
If the remote control agent is configured during installation, it will be installed as an automatic service. Otherwise, the agent is installed as a manual service, and in order to enable it, it must be switched to an automatic service, then started. As a service, it is permanently active. This includes periods of time when the Vault components are down, enabling the Remote Control Client to restart them.
For more information about configuring the Remote Control Agent manually, refer to Configure Remote Monitoring.
For more information about the Remote Control Client, and installing and using it, refer to Remote Control Client.
The Remote Monitoring uses SNMP to send Vault traps to a remote terminal. This enables users to receive both Operating System and Vault information, as follows:
|■||CPU, memory, and disk usage|
|■||Event log notifications|
|■||Password Vault and DR Vault status|
|■||Password Vault and DR Vault logs|
For details about configuring remote monitoring, see
The configuration files and the log files that are used in remote configuration are stored in the System Safe. This Safe is defined as a highly-secured internal area that authorized Users can log onto from a similarly defined network area.
CyberArk Vault configuration files can be accessed by specific Safe members from their PrivateArk Client. So, Owners who have the correct permissions can modify configuration files from their own workstations and not just from the Server terminal.
All accesses to the files through the PrivateArk Client are tracked by Visual Security, and versions are stored by the Vault, enabling Users to view and use previous configurations if necessary.
Each time the Server is restarted, the last set of configuration files that enabled the CyberArk Vault Server to start successfully are copied to the Server installation directory and an extra extension is added to it. The additional extension is ‘.GOOD’. For example, the copy of the most recent successful DBParm.ini file would be called DBParm.ini.GOOD.
This feature can be used as a fallback if the Server cannot restart after new changes have been made to the configuration files, by replacing the new .ini files with the .GOOD files. Alternatively, you can use the PARClient utility which does this automatically. For details, see Remote control.
All ini files are essential for the CyberArk Vault to work properly, and none must be renamed or erased.
In addition to the configuration files, the System Safe also stores log files, which can be retrieved and viewed by Safe members.
The CyberArk Vault does not store versions of the log files, but updates the current files with new log data on a regular basis. These files cannot be modified, renamed, or erased by the user.
The parameters that enable remote configuration are specified in PARAgent.ini. For details, see Remote Control Agent Parameter File.
Remote Master logon
Use this option only in a disaster scenario where you are unable to log in locally.
This enables the Master User to carry out Master activities from a remote terminal with the same ability as if they were logged on to the Server terminal.
To allow a Master User to remotely log in to the Vault:
Navigate to the /Server/Conf/ folder, and open the DBParm.ini file.
Add the EmergencyStationIP parameter with the IP address of the location from where the Master User can log on to the Server computer.
Before logging on to the Server from a remote computer, place the Master CD in the CD-ROM drive of the Server computer. After you have logged off from the Server, remove the Master CD and return it to a secure place.