General settings

This topic describes how to configure the general settings for the PSM.

Overview

In Web Access Options, the General Settings parameters in the Privileged Session Management section define how the PSM functions.

These parameters are divided into the following groups:

General Setting > Parameter Name PSM capability

Search properties

Define the password and recording properties that can be used to search for session recordings.

Search properties

Server settings

Define the general PSM server settings.

Server settings

Configure the PSM log files.

Configure privileged sessions

Session settings

Define single sessions and the way that PSM handles recordings that cannot be uploaded to the Vault.

Configure privileged sessions
Upload recorded sessions to the Vault

Recorder settings

Configure the session recorder

Manage recording sessions

Connection client settings

Configure connection clients.

Configure PSM server details

Search properties

The parameters in SearchProperties define the password and recording properties that can be used to search for session recordings.

Parameter

Description

MaxRecords

Specifies the maximum number of session recordings that are included in the recordings search results.

Default: 1000

Recording

Defines the recording properties that are searched.

Password

Define the password properties that are searched.

Server settings

Define the general PSM server settings.

Parameter

Description

MaxConcurrentTSSessions

Specifies the maximum number of allowed concurrent PSM sessions.

To achieve best performance for user sessions, set a maximum number of concurrent sessions that is appropriate to the size of your PSM implementation.

For details about the maximum number of concurrent sessions that is supported for different PSM implementations, see System Requirements for PSM.

MaxConcurrentUploaders

Specifies the maximum number of allowed concurrent processes to upload recording files to the Vault.

ConfigurationRefreshInterval

Specifies the interval in seconds between each configuration refresh process.

ClearUserProfilesInterval

The number of days between processes that clear user profiles.

Specify '0' (zero) to disable.

Default: 30

DisableExceptionHandling

(under Advanced Settings)

Determines whether or not a crash dump is created when a system error occurs.

ShutdownTimeout

(under Advanced Settings)

Specifies the maximum time in seconds to wait for internal jobs to finish when shutting down the server.

EnableRadiusAuthWithNLACredentials

(under Advanced Settings)

For PSM for Windows: When using RADIUS authentication in CyberArk, where the RADIUS server is configured to work with LDAP, this parameter determines whether or not PSM requires the user to authenticate again after network level authentication (NLA).

EnablePKIPNAuth

(under Advanced Settings)

The default Smart Card authentication is based on PKI with Distinguished Name (DN). This parameter configures the authentication to be based on PKI with Principal Name (PKI\PN).

Clean the Shadow user profile

This section describes how to configure PSM to clean Shadow user profiles.

When users initiate a connection (session) to a target machine via PSM, a PSM Shadow user is automatically created on the PSM machine and that's the user that is used to log on to the target machine and perform actions.

The purpose of the Shadow user is to isolate the session. This enables programs launched on the same server by different Vault users to run under different identities without the risk of information leaking between these sessions.

During the established session, some information is saved in the Shadow user profile, which can ultimately fill up the PSM server's storage.

PSM includes an automatic cleanup process in order to manage the PSM server's storage space. You can change the default settings, such as the threshold of the Shadow user profile folder size or which subfolders to empty.

For the full list of settings, see Shadow user profile settings.

When the user profile folder exceeds the set threshold, the end user receives a warning at the beginning of the session.

To modify the default settings of the Shadow user profile:

  1. In the PVWA , click Administration> Options.

  2. Go to Privileged Session Management > General Settings > Server Settings.

  3. Right-click Server Settings and select Add User Profile Settings.

 

If your PSM servers are 11.6 or earlier versions, you need to restart them after you add this section.

Shadow user profile settings

The following table includes the Shadow user profile settings.

Parameter

Description

UserProfileThreshold

The Shadow user profile folder on the PSM machine is limited in size. Set this parameter to define the threshold in MB. When the folder exceeds the threshold, a message is displayed to the user at the beginning of each session.

Default: 100

NotificationLevel

When the Shadow user profile folder exceeds the UserProfileThreshold, the corresponding user's session responds according to the following:

  • Notify - A message is displayed to the user at the beginning of the session

  • Terminate - A message is displayed to the user at the beginning of the session and the session is terminated

  • Off - The Shadow user profile folder is not examined at the beginning of the session and there is no notification

Default: Notify

NotificationText

Default Value Notify
NotificationText
Description The message displayed to the user at the beginning of a session when the Shadow user profile folder on the PSM machine exceeds the UserProfileThreshold.
Acceptable Values String
Default Value

User profile storage space has been exceeded. Please contact your administrator

CleanupInterval
Description

Define an interval (in hours) when all Shadow user profile folders are cleaned. Shadow user profile folders are cleaned when 70% of the UserProfileThreshold is reached.

Use '0' to disable cleanup.

Use '0' to disable cleanup.

Default: 24

CleanupFolders

The Shadow user profile folders to be cleaned.

Use '-' to entirely remove the Shadow User from the PSM machine.

Default: Desktop, Documents, Downloads, Favorites, Links, Music, Pictures, Saved Games, Videos

CleanupProcessTimeout

The timeout (in seconds) for every Shadow user profile folder removal. If the timeout is reached before the folder is deleted, PSM will try to delete the folder at the next CleanupInterval.

Default: 120

Configure privileged sessions

The following parameters in Session Settings configure privileged sessions:

Parameter

Description

MaxSessionDuration

This parameter determines the maximum duration of the session, in minutes. This can be specified as a general PSM parameter or in a specific platform.

When users log off from the remote Windows machine, the sessions on both the PSM and the remote machine are ended. However, when users disconnect the session by clicking Close or if the MaxSessionDuration parameter has expired, the PSM session is automatically ended, but the session on the remote machine continues running. The next time they log onto the same remote machine through the PSM, they will continue the same session as before. To prevent this, make sure that the Terminal Server is configured to end disconnect sessions after a specific time period.

EnforceDualControlTimeframeOnPSMConnections

Determines whether to enforce the Timeframe set in the Dual Control request on the PSM connection.

If the parameter is set to Yes, PSM sessions are terminated at the end of the Timeframe or at the end of the MaxSessionDuration, whichever is sooner.

The user receives a notification before the session is terminated. The timing of the warning is based on the WarningDisconnectionInterval value .

WarningDisconnectionInterval

This parameter specifies the number of minutes before the user’s session will be disconnected that a warning message about the disconnection will be displayed.

EndUserMessageTimeout

The parameter specifies the maximum number of seconds that end user messages will be displayed.

Upload recorded sessions to the Vault

The following parameters in Session Settings determine how the PSM handles retries when the Vault is not available and recordings cannot be uploaded.

Parameter

Description

DelayBetweenUploadRetries

This parameter specifies the delay in seconds between upload retries to the Vault.

MaxUploadRetries

This parameter specifies the maximum number of uploading retries to the Vault.

Manage recording sessions

The following parameters, in Recorder Settings, define how the PSM will manage recordings:

Parameter

Description

EnableDynamicFramesPerSecond

This parameter dynamically adjusts the frames per second rate of the PSM video recorder to decrease the performance impact. This may result in reduced quality when playing the recorded videos.

 

The deprecated EnableDynamicFPS parameter in the basic_psm.ini file on the PSM overrides this parameter.

The basic_psm.ini file is found in the PSM installation folder. By default, this is C:\Program Files (x86)\CyberArk\PSM.

FramesPerSecond

This parameter specifies number of frames to capture per second. The default value is 3.

This parameter is used only when EnableDynamicFramesPerSecond is set to No.

LocalRecordingsFolder

This parameter specifies the name of the local folder where recordings are saved until they are uploaded to the Vault. By default, recordings are temporarily stored in the PSM installation folder.

 

PSM 12.2 and higher uses a local configuration for the PSM Recordings folder. See RecordingsDirectory.

Configure the PSM Log Files

The types of messages included in the PSM log files are determined by the TraceLevels parameters in the Connection Client Settings, as follows:

The PSMTrace.log is configured by the following parameters in Server Settings:

Parameter

Description

LogRotationSize

This parameter defines the maximum size in MB of the log file before it is rotated to another location, and a new log file is started.

TraceLevels

This parameter sets the debug level of the PSM Server.

A new log file is created for each session for the recorder and the connection client. The trace levels for these files are specified in the following parameters:

Log

Description

<SessionID>.Recorder.log

The <SessionID>.Recorder.log is configured in the Recorder Settings.

<SessionID>.<connection client >.log

The <SessionID>.<connection client >.log is configured in the Connection Client Settings.

For more information about logging for the PSM Recorder, refer to PSM activity logs.

Configure PSM server details

The PSM server connection details determine how the PVWA will access the PSM server. You can configure as many PSM servers as you need.

The following parameters in the Configured PSM Servers parameters define the PSM server details:

Parameter

Description

Address

This parameter specifies the address of the PSM server machine used by passwords associated with the platform that uses this PSM server.

Port

This parameter specifies the port used to access the PSM Server machine used by passwords associated with the platform that uses this PSM server.

Safe/Folder/Object

These parameters specify the location where the password of the logon account for the PSM Server is stored, and the Object parameter specifies the name of the password.