Connection Component Parameters

This topic describes how to configure PSM connection components.

Windows Sessions (PSM-RDP)

The following parameters are specific to Windows RDP connection components. These are in addition to the general parameters that are common to all connection components. For general parameters, see Connection Component Configuration.

Parameter Description Override at platform level Override at account level
Target Settings
Client Specific Defines a dynamic list of parameters for a specific client.    
Port The port used to connect to the remote device. The default port for Windows transparent connections is 3389.

ü

ü
AuthenticationLevel The authentication level that will be used for this connection. Optional values are:
0 – The PSM server is not required to authenticate the target machine before connecting to it.
1 – The PSM server will authenticate the target machine before connecting to it.
2 – The PSM server will authenticate the target machine before connecting to it. If the authentication fails, the user will be able to cancel the connection or to initiate a connection without authentication.

ü

ü

StartProgram

The full path of the program that will be started when the PSM-RDP connection is initiated.

ü

ü

WorkDir

The full path of the working directory for the program specified in the StartProgram parameter. If this property is not specified, the default working directory will be used. The default working directory is C:\Users\<current user>.

ü

ü

TerminateOnWinAudit
InitFailure

Whether or not the PSM RDP session will stop when the Windows Events Audit or Universal keystrokes audit cannot be initialized.
Acceptable values: Yes/No
Default value: No

ü

û

TerminateOnWinAudit
Timeout

Whether or not the PSM RDP session will stop when the Windows Events Audit or Universal keystrokes audit is not working.
Acceptable values: Yes/No.
Default value: Yes.

ü

û

WindowsEventsSampleRate

How often PSM will check for new windows that were accessed on the target machine.
Default value: 0.05 seconds.

ü

û

WindowsEventsKeepAlive

How long a session will be kept alive when the Windows Events Audit or Universal keystrokes audit is not active.
Default value: 1 minute.
When the specified amount of time has passed, PSM will decide whether or not to terminate the session according to the value specified in the TerminateOnWinAuditTimeout parameter.

ü

û
EnableTargetLogging Whether or not trace logging to the Event Viewer on the target machine is enabled. Acceptable values: Yes/No
Default value: No

ü

û
WindowsKeystrokes
SingleLanguage

Whether or not universal keystrokes recording for Windows connections will be supported for a single or additional languages during privileged sessions.
Acceptable values: Yes/No
Default value: Yes

ü

û
RedirectDrivesRetries

The number of times that PSM will try to map local drives on the client computer to the remote machine. The default value is 6.

    
RedirectDrivesRetryInterval

The number of milliseconds between PSM efforts to map local drives on the client computer to the remote machine, as defined in RedirectDrivesRetries. The default value is 5000 milliseconds.

    
User Parameters
AllowConnectToConsole

Whether or not users will be allowed to connect through the PVWA to the administrative console of the remote machine.

ü

û
RedirectSmartCards

Whether or not users will be allowed to redirect their Smart Card so that the certificate stored on the end user's card can be accessed on the target. To enable this feature, the Smart Card driver must be installed on the PSM machine. In load-balanced implementations, the driver must be installed on all load balanced PSMs.

ü

û

Unix/Linux or other SSH Sessions (PSM-SSH)

The following parameters are specific to Unix/SSH connection components. These are in addition to the general parameters that are common to all connection components. For general parameters, see Connection Component Configuration.

Parameter Description Override at platform level Override at account level
Target Settings
Client Specific

Defines a dynamic list of parameters for a specific client.

   
Port

The port used to connect to the remote device. The default port for SSH connections is 22

ü

ü
AutoLogon
SequenceWith
LogonAccount

A multi-line sequence that defines an automatic sign-on process which uses a logon account to log onto a remote machine and then another account to elevate the user so that it can run sessions. The sequence uses regular expression prompts and responses with dynamic values based on the relevant account that can include one or more dynamic references. PSM reads these references in the following order: account properties, user parameters, then client specific parameters.
For more information, refer to Use logon accounts for PSM-SSH and PSM-Telnet connection components.

ü

 -
SendRateValue

A send rate value in milliseconds that overrides the default send rate delay value, which determines the speed at which the client will send the login sequence keystrokes.

ü

ü
PromptTimeout

A timeout value in milliseconds that overrides the default prompt timeout value, which determines how long the client will wait for the next prompt to be received before displaying an error message and closing the session.

ü

ü
ShellPromptForAudit

Defines a regular expression that represents the shell prompt on the target systems. If the prompt is not recognized based on this expression the SSH keystrokes audit will fail. Use the TerminateOnShellPromptFailure parameter to determine the PSM behavior in such scenario. Type: string. If no value is set the default value is used. Default value: (.*)[>#\\$]$

ü

 -
TerminateOnShellPromptFailure

Whether or not the session will stop if the shell prompt was not recognized after the amout of time defined in the parameter PromptTimeout. Available values: Yes/No Default value: No

ü

 -
BackgroundColor

Configure the background color of an SSH session.

Session coloring requires the support of ANSI colors on the end-user's SSH Client.

Available values: black, red, green, yellow, blue, magenta, cyan, gray

Default value: No color

ü

 -
ForegroundColor

Configure the foreground color of an SSH session.

Session coloring requires the support of ANSI colors on the end-user's SSH Client.

Available values: black, red, green, yellow, blue, magenta , cyan , gray , dark_gray, bright_red, bright_green, bright_yellow, bright_blue, bright_magenta, bright_cyan, white

Default value: No color

ü

 -

Telnet Sessions (PSM-Telnet)

The following parameters are specific to Telnet connection components. These are in addition to the general parameters that are common to all connection components. For general parameters, please see Connection Component Configuration.

Parameter Description Override at platform level Override at account level
Target Settings
Client Specific

Defines a dynamic list of parameters for a specific client.

   
ClientProtocol

The protocol used to create the connection to the remote device. The default protocol is Telnet. 

-

ü
AutoLogon
Sequence

A multiline sequence that defines the automatic sign-on process using regular expression prompts and responses with placeholders for dynamic values that can include one or more dynamic references. The PSM reads these references in the following order: account properties, user parameters, then client specific parameters.
For more information, refer to Configure PSM-Telnet connection components.

ü

 -
AutoLogon
SequenceWith
LogonAccount

A multiline sequence that defines an automatic sign-on process which uses a logon account to log onto a remote machine and then another account to elevate the user so that it can run sessions. The sequence uses regular expression prompts and responses with dynamic values based on the relevant accounts that can include one or more dynamic references. The PSM reads these references in the following order: account properties, user parameters, then client specific parameters.
For more information, refer to Use logon accounts for PSM-SSH and PSM-Telnet connection components.

ü

 -
SendRateValue

A sent rate value in milliseconds that overrides the default send rate delay value, which determines the speed at which the client will send the login sequence keystrokes.

ü

ü
PromptTimeout

A timeout value in milliseconds that overrides the default prompt timeout value, which determines how long the client will wait for the next prompt to be received before displaying an error message and closing the session.

ü

ü
ShellPromptForAudit

Defines a regular expression that represents the shell prompt on the target systems. If the prompt is not recognized based on this expression the SSH keystrokes audit will fail. Use the TerminateOnShellPromptFailure parameter to determine the PSM behavior in such scenario. Type: string. If no value is set the default value is used. Default value: (.*)[>#\\$]$

ü

 -
TerminateOnShellPromptFailure

Whether or not the session will stop if the shell prompt was not recognized after the amout of time defined in the parameter PromptTimeout. Available values: Yes/No Default value: No

ü

 -
BackgroundColor

Configure the background color of an SSH session.

Session coloring requires the support of ANSI colors on the end-user's SSH Client.

Available values: black, red, green, yellow, blue, magenta, cyan, gray

Default value: No color

ü

 -
ForegroundColor

Configure the foreground color of an SSH session.

Session coloring requires the support of ANSI colors on the end-user's SSH Client.

Available values: black, red, green, yellow, blue, magenta , cyan , gray , dark_gray, bright_red, bright_green, bright_yellow, bright_blue, bright_magenta, bright_cyan, white

Default value: No color

ü

 -

Configure PSM-Telnet connection components

The AutoLogonSequence parameter defines a multiline sequence that is used by PSM during the automatic sign-on process for a Telnet connection to a remote device. It contains regular expression prompts and responses with dynamic values.

You can customize this parameter according to the logon process for each connection.

  1. In the System Configuration page, click Options; the Web Access Options are displayed.

  2. Click Connection Components; a list of all the configured connection components is displayed.

  3. Right-click PSM-Telnet-Sample then, from the pop-up menu, select Copy.

  4. Right-click Connection Components then, from the pop-up menu, select Paste; a new connection component is added to the bottom of the existing list.

  5. Rename the new connection component.

  6. Select the new connection component, then in the Properties list change the Id of the new connection component to PSM-Telnet or any other relevant name.

  7. Expand Target Settings, and then expand Client Specific; a list of Client Specific parameters appears.

  8. Select AutoLogonSequence.

  9. In the Properties list, click the value of the Value property; the Value edit box appears.

  10. Specify the logon process, as shown in the following examples.

    The following example shows a simple logon process that includes a username and password then logs the user on.

    telnet autologinsequence.png

    To prevent the client from adding a CRLF character (new line) to the end of the response, specify (nocrlf) at the beginning of the prompt, as shown in the following example:

    telnet autologonsequence 2.png

    In each line, the text to the left of the ‘>’ (parenthesis) represents the regular expression for the prompt on the remote machine. The text to the right of the ‘>’ (parenthesis) represents the PSM response, including a dynamic reference to an account property.

    This response can include one or more dynamic references. The PSM reads these references in the following order: account properties, user parameters, then client specific parameters.

    To specify ‘>’ as a character in the prompt, use the character code \x3e.

  1. Click OK.

  2. Click Apply to apply the new Connection Component configurations,

    or,

    Click OK to save the new Connection Component configurations and return to the System Configuration page.

Use logon accounts for PSM-SSH and PSM-Telnet connection components

A logon account can be used to initiate sessions to machines that do not permit direct logon. This account can be used to log onto the remote machine and then elevate itself to the role of privileged user using credentials that are stored in the Vault.

The PSM uses a multiline sequence during the automatic sign-on process which contains regular expression prompts and responses with dynamic values that define the logon process and subsequent activities. As different types of machines require different logon prompts, you can override this sequence at platform level or create new connection components which you can customize.

 

For SSH connections, the logon account can use either password or SSH key authentication. If the logon account uses SSH key authentication, the associated privileged account must use password authentication.
 

Step 1:

Link a logon account to the account that cannot be used for direct logon, but will be used to run sessions on the remote machine.

The following screen shows the Account Details page of the root account that will be used to run sessions on a remote machine.

In this scenario, this account cannot be used to log onto the remote machine, so the UNIX via SSH-logon-1.1.1.128 logon account has been associated with the account.

Step 2:

The PSM connects to the remote machine automatically using the associated logon account and elevates the user to a privileged user.

After the user clicks Connect, a session is opened in the remote machine and the logon account is used to log on.

In this example, after successfully logging on, the current user issues the su command and elevates itself to the root user using the credentials in the main account managed in the Vault.

  1. Before associating a logon account, make sure that the Connection Client capabilities are configured for a logon account:

     

    The logon account capability is added automatically by the PSM installation. If your first PSM installation is PSM v7.0, enable the logon account capability manually as described below.

    1. In the System Configuration page, click Options to display the Web Access Options parameters.

    2. Select and expand Privileged Session Management, then expand General Settings.

    3. In Connection Client Settings, expand Capabilities.

    4. Right-click Capabilities, then from the pop-up menu, select Add Logon Account; a new Logon Account parameter is created.

    5. In the Logon Account properties, make sure that the following property values are specified:

    Property Specifies
    Id LogonAccount
    Description LogonAccount
    Type PasswordProtection
    IntegrationType Embedded
    Format NA

    These values are shown in the following window:

  1. In the Account Details page of the account that will be used to run sessions on a remote machine, associate the account that will be used to log onto the remote machine.

    For more information about adding a linked account to new and existing accounts, refer to Create linked accounts.

  2. Specify the automatic logon sequence with the logon account:

    1. In the System Configuration page, display the Web Access Options.

    2. Expand Connection Components, then expand the connection component to configure.

    3. Expand Target Settings and then expand Client Specific; a list of Client Specific parameters appears.

    4. Select AutoLogonSequenceWithLogonAccount, then in the Properties list, click the value of the Value property; the Value edit box appears.

    5. Specify the prompts and responses to include in the automatic logon process, using regular expressions and dynamic account properties to mimic the exact sequence that will be run on the remote machine.

As prompts differ according to machine, it is important to make sure that you write the prompt exactly as the machine requires.

For PSM-SSH connections:

i. Specify the command that will elevate the logon user to the user who will run sessions on the remote machine. Use regular expression prompts and responses with dynamic values, as shown in the following example:

auto logon sequence w logon account SSH.png

ii. In each line, the text to the left of the ‘>’ (parenthesis) represents the regular expression for the prompt on the remote machine. The text to the right of the ‘>’ (parenthesis) represents the PSM response, including a dynamic reference to an account property.

This response can include one or more dynamic references. PSM reads these references in the following order: account properties, user parameters, then client specific parameters.

To specify ‘>’ as a character in the prompt, use the character code \x3e.

For PSM-Telnet connections:

i. Create a new PSM-Telnet connection component, based on PSM-Telnet-Sample, as described in Configure PSM-Telnet connection components.
ii. Specify the logon command that enable the logon account to log onto the remote machine.
iii. Specify the command that will elevate the logon user to the user who will run sessions on the remote machine.
iv. Specify the username and password of the user who will run sessions on the remote machine.

auto logon sequence w logon account Telnet labelled.png

In each line, the text to the left of the ‘>’ (parenthesis) represents the regular expression for the prompt on the remote machine. The text to the right of the ‘>’ (parenthesis) represents the PSM response, including a dynamic reference to an account property.

This response can include one or more dynamic references. PSM reads these references in the following order: account properties, user parameters, then client specific parameters.

  1. Click OK; the logon sequence is displayed in the Value property as one line.

  2. Click Apply to apply the new Connection Component configurations,

To specify ‘>’ as a character in the prompt, use the character code \x3e.

or,

Click OK to save the new Connection Component configurations and return to the System Configuration page.

The client ‘skips’ characters while imitating the login sequence

  1. In the relevant connection component, add the SendRateValue parameter in the Client Specific target settings.

  2. Set the parameter value to higher than 100

  3. Click Apply to apply the new Connection Component configurations,

or,

Click OK to save the new Connection Component configurations and return to the System Configuration page.

The following message appears: PSMSH059E Failed to execute login sequence: Incorrect sequence defined in configuration, or network timeout occurred

  1. Make sure that the value of the AutoLogonSequence or the AutoLogonSequenceWithLogonAccount parameter is configured correctly.

  2. Compare the specified login sequence with the login sequence from the text recording file after a session fails.

    1. From the Client Specific target settings, remove the AutoLogonSequence or the AutoLogonSequenceWithLogonAccount parameter.

    2. Run the logon sequence again to make the client text record the session from the beginning.

    3. After the session fails, copy the prompts for the login sequence from the text recording file.

    4. In the Client Specific target settings, add the AutoLogonSequence or the AutoLogonSequenceWithLogonAccount parameter again.

  3. If the specified login sequence is identical to the recorded text and the error message is still displayed, set the value of the PromptTimeout parameter to a much higher value. For example, 10000.

WinSCP Sessions (PSM-WinSCP)

The following parameters are specific to WinSCP connection components. These are in addition to the general parameters that are common to all connection components. For general parameters, please see Connection Component Configuration.

Parameter Description Override
at platform
level 		Override
at
account
level
Component Parameters
For RDP File connections – redirectprinters:i
Whether or not users will be able to redirect printers from their local machine to the remote server. Possible values:
0 – Users will not be able to redirect printers.
1 – Users will be able to redirect printers. This is the default value.

To redirect printers, the AllowMappingLocalDrives parameter must be enabled.

When the user connects directly from their desktop using an RDP client application, overriding of configurations of drives, printers and clipboard redirection at platform level is ignored.

ü

û
Target Settings
Client Specific Defines a dynamic list of parameters that are required to log onto a specific client.    
DispatcherParameters The parameter that defines the target server and the connection. This parameter uses the following syntax:
{Address}
{Username}
{Password}
[{PSMClientApp}]
[{Port}]
[{FileTransferProtocol}]
[{WindowTimeout}]
[{RestrictiveMode}]
[{AcceptHostKeyInCache}]

These parameters must be specified in the above order and on a different line.

This syntax is explained below:
Address – Hostname/IP of the target server.
Username – Username of the target account.
Password – Password of the target account.
WinSCP Executable Path – Location of the WinSCP exe file. If this is not specified, the default path is used – C:\Program Files (x86)\CyberArk\ PSM\Components\WinSCP.exe.
Port – Port used to connect to the remote device. If this is not specified, the default port is used – 22.
FileProtocol – The protocol used to transfer files. Optional values are SCP and SFTP. If this is not specified, the default value is used – SFTP.
WindowTimeout – Number of seconds to wait for each window. If this is not specified, the default value is used – 30 seconds.

ü

 -
 
RestrictiveMode – Whether or not to kill the process if an unexpected window appears during initialization and login. Specify Yes to end the process automatically or No to allow the user to handle the unexpected windows within the timeout limits. If this is not specified, the default value is used – No.
AcceptAddingKeyToCache – Whether or not to dismiss the host key warning by adding the host key into the machine cache. Specify Yes to continue connecting automatically (the key is not added to the cache) or No to ask the user to add the host key manually. If this is not specified, the default value is used – No.
Note: Do not specify a new line after the final parameter. 		   
     
RedirectDrivesRetries

The number of times that PSM will try to map local drives on the client computer to the remote machine. The default value is 3.

   
RedirectDrivesRetryInterval

The number of milliseconds between PSM efforts to map local drives on the client computer to the remote machine, as defined in RedirectDrivesRetries. The default value is 5000 milliseconds.

   

Use WinSCP through a CLI

  1. In the System Configuration page, click Options; the Web Access Options are displayed.

  2. Expand Connection Components; the list of configured connection componects is displayed.

  3. Copy the original PSM-WinSCP component:

    1. Right-click PSM-WinSCP then, from the pop-up menu, select Copy.

    2. Right-click Connection Components then, from the pop-up menu, select Paste; a copy of the connection component is added to the bottom of the existing list.

  4. Rename the new connection component.

    • Select the new connection component, then in the Properties list change the Id of the new connection component to WinSCP-CommandLine.

  5. Expand the new connection component and selet Target Settings; the general target setting properties are displayed.

  6. Change the values of the following properties:

    Property New value
    ClientApp C:\Program Files (x86)\CyberArk\PSM\Components\WinSCP.exe /console scp://{username}:{password}@{address}
    ClientDispatcher NA
    ClientInvokeType CommandLine

  7. Right-click Lock Application Window, then from the pop-up menu, select Detete; the Lock Application Window parameter is removed from the target settings parameters.

  8. Add a new Client Specific parameter:

    1. Right-click Client Specific, then select Add Parameter; a new parameter is added.

    2. In the properties list, specify the following values:

      • Name – The name of the new parameter. Specify CmdLineParmsHideTimeout.

      • Value – The time, in milliseconds, that PSM waits for the command line parameters hiding process to finish its operation. Specify 50000.

  9. Click OK to save the new Connection Component configurations and return to the System Configuration page.

  10. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  11. In the platform that will support WinSCP connections through a command line Create a platform, add the new connection component.

  12. Click Apply to apply the new Connection Component configurations,

or,

Click OK to save the new Connection Component configurations and return to the System Configuration page.

OS/390 (Z/OS) Sessions

The following parameters are specific to OS/390 (Z/OS) connection components. These are in addition to the general parameters that are common to all connection components. For general parameters, please see Connection Component Configuration.

Parameter Description Override at platform level Override at account level
Target Settings
Client Specific

Defines a dynamic list of parameters for a specific client.

   
SourceFileTemplate

A macro file that contains a list of commands to the client. These commands can be specified with placeholders (in braces {}), so that users can specify custom metadata. For a complete list of commands, refer to Connection Component Configuration.
Note: The default source file template is a sample. Change this to specify the source file in your environment.

ü

ü
CommandLine
Arguments

The wc3270 option that can be run during the PSM-OS390 connection session.

ü

ü
Lock Application Window

Defines the behavior of the Lock Application Window process.

   

AS400 (iSeries) Sessions

The following parameters are specific to AS400 (iSeries) connection components. These are in addition to the general parameters that are common to all connection components. For general parameters, see Connection Components.

Parameter Description Override at platform level Override at account level
Component Parameters
For RDP File connections – redirectprinters:i
Whether or not users will be able to redirect printers from their local machine to the remote server. Possible values:
0 – Users will not be able to redirect printers.
1 – Users will be able to redirect printers. This is the default value.
To redirect printers, the AllowMappingLocalDrives parameter must be enabled.
When the user connects directly from their desktop using an RDP client application, overriding of configurations of drives, printers and clipboard redirection at platform level is ignored.

ü

û
Target Settings
Client Specific

Defines a dynamic list of parameters for a specific client.

   
SourceFileTemplate

A macro file that contains a list of commands to the client. These commands can be specified with placeholders (in braces {}), so that users can specify custom metadata. For a complete list of commands, refer to Connection Components.
Note: The default source file template is a sample. Change this to specify the source file in your environment.

ü

ü
CommandLine Arguments

The list of WC3270 options that can be run during the PSM-AS400 connection session. You can specify multiple options, separated by a comma.
For a complete list of commands, refer to Connection Components.

ü

ü
Lock Application Window

Defines the behavior of the Lock Application Window process.