Terminal Plugin Controller

The Terminal Plugin Controller (TPC) platform helps you create new CPM plugins using terminal and scripting languages for terminal-based devices.

Overview

TPC functions as both a platform for creating state machine plugins, and as an engine for running these plugins (interpreter).

TPC plugins contain two files that the platform uses to authenticate to target machines: 

  • Prompts file
  • Process file

File

Description

Prompts

The Prompts file includes a list of conditions. When the plugin runs, TPC matches the conditions defined in this file to the output (prompts) it received from the target machine. For more information, see Create a Prompts file.

Process

The Process file includes all the states and transitions that are relevant to the flow. For more information, see Create a Process file.

To use TPC plugins, first review the Requirements and Support sections, and then proceed to Create and deploy a TPC plugin.

Requirements

Make sure you have met the following requirements:

  • CPM version 9.7 or later

  • .NET installed, for supported versions, see .NET Framework

Support

TPC supports plugins that are based on the following:

  • SSH
  • Telnet
  • Python
  • PowerShell
  • cScript

For more information about connecting to the plugins, see Spawn.

SSH support

The following methods are supported.

Functionality

Support

Key exchange methods

  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group1-sha1
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521

Message authentication codes

  • hmac-md5
  • hmac-md5-96
  • hmac-sha1
  • hmac-sha1-96
  • hmac-sha2-256
  • hmac-sha2-256-96
  • hmac-sha2-512
  • hmac-sha2-512-96

Host key algorithms

  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • Ssh-rsa
  • Ssh-dss

Create and deploy a TPC plugin

  1. Create the platform that will manage the target account to which you want to define the plugin. For details, see Add a new platform (duplicate).
  2. Configure the platform to use the TPC engine to run the plugin. For details, see Run plugins using the TPC engine.
  3. Create the plugin files. For details, see Create a Prompts file and Create a Process file.
  4. Configure the platform to use the files:

    1. In PVWA, click Administration > Platform Management.
    2. Select the platform, and then click Edit.
    3. In the left pane, click Automatic Password Management > Additional Policy Settings,
    4. In the Properties pane, enter the path to the plugin files in PromptsFilename and ProcessFilename (for example. bin/<file-name>).
  5. Put the files in the CPM bin folder.

Forbidden characters and words

The following characters in the table cannot be used in the TCP platform.

Forbidden characters

%00

&

;

#

|

\$

>

<

The following words in the table cannot be used in the TCP platform.

Forbidden words

cd

debug

exec

file

getf

glob

host

info

interp

kill

load

object

open

package

pid

pwd

setf

socket

source

spawn

sql

unload

unsetf

uri

version

xml

Run plugins using the TPC engine

You can configure your platforms to run plugins using the TPC engine.

To configure the platform:

  1. Log in to the PVWA.
  2. Click Administration > Platform Management.
  3. Select the platform, and then click Edit.
  4. In the left pane, click Automatic Password Management > CPM Plug-in.
  5. Set the ExeName parameter value to:

    • CACyberArk.TPC.exe (for versions 9.7 - 10.3).
    • CyberArk.TPC.exe (for version 10.4 and higher).
  6. For versions 9.7 - 10.3: Set the DllName parameter value to CyberArk.Extensions.Infra.Common.dll.

Import TPC

This section describes how to import the TPC platform to an existing PAM - Self-Hosted environment.

To import TPC:

  1. Download the latest TPC version from CyberArk Marketplace.
  2. Extract the files from the installation package to the CPM installation folder ('bin').
  3. For PAM - Self-Hosted versions 9.7 - 10.3: Rename CyberArk.TPC.exe to CACyberArk.TPC.exe.

You must restart the CPM service after replacing binary or exe files in the CPM bin folder.

Impersonate human speed

There are cases in which target machines fail connection attempts if they appear to be initiated by a machine. This is done to safeguard the target machine against bots and other malicious attacks. The speed in which the credentials are delivered is a clear indication to whether the connection was initiated by a human or by a machine.

If you are creating a plugin to a target machine that applies this practice, you can implement the Send Human feature to ensure a successful connection. This feature allows TPC to send the prompts to the target machine slower, at a random rate ranging between two values, for machines where TPC is either sending the prompts too fast or is detected as non-human.

Send Human is a platform configuration option accessed from the PVWA.

Configure Send Human:

  1. In the PVWA, open the platform for editing. For details, see Edit a platform in Manage platforms v10 interface
  2. Open Automatic Password Management > Additional Policy SettingsParameters.

    If this path is not yet defined, right-click Automatic Password Management, and then select Add Additional Policy Settings. Then right-click Additional Policy Settings and then select Add Parameters.

  3. Right-click Parameters and add the following properties: SendHumanMin and SendHumanMax.

    Enter a value for each in milliseconds. TPC will send the prompts to the target machine at a random rate ranging between these two values.

    Send SendHumanMax must be greater than or equal to SendHumanMin.

    If SendHumanMax is defined but SendHumanMin is not, then the value of SendHumanMin is zero (0).

    If SendHumanMin is defined but SendHumanMax is not, then the value of SendHumanMax is SendHumanMin * 2.

  4. Save your changes.