Monitor system health

This topic describes how to monitor the status of your Privilege Cloud solution components from the Privilege Cloud Portal.

Overview

The System Health dashboard provides Privilege Cloud administrator with a high level, visual representation of the health status of the different CyberArk components. This includes Privilege Cloud and Secrets Manager Credential Providers environments.

The System Health dashboard includes the following information for each component:

Component

Information

Web Portal

  • Total number of licensed EPV users who are currently logged on to all Privilege Cloud Portals

     

    Note: The information shown in the System Health page does not include built-in users or custom user types. For information on built-in users, see Privilege Cloud built-in users.

CPM and Accounts Discovery

  • The number of CPM users (App user instances) connected to or disconnected from Privilege Cloud

  • The total number of accounts managed by all CPMs, including the following:

    • Groups that contain accounts that share the same password

    • Accounts that are associated with disabled platforms

    • Deleted accounts that have not yet been deleted by the Clear Safe History process

PSM and PSM for SSH

  • The number of component users (App user instances) connected to or disconnected from Privilege Cloud

  • Total number of component sessions that are currently active

Secrets ManagerCredential Providers

  • The number of Secrets Manager users (App user instances) connected to Privilege Cloud

  • The number of Secrets Manager users that are not connected to Privilege Cloud

  • The total number of Secrets Manager application IDs

Export system health information

Use the following REST APIs to export system health information:

REST API

Description

Privilege Cloud system health summary

A method that returns consolidated information about Privilege Cloud, Privilege Cloud Portal, CPM, PSM/PSM for SSH, and Secrets Manager Credential Providers, including all clients that are relevant to each specific component.

Privilege Cloud system health details

A method that returns details about all the relevant clients for a specific component type and system health information about each one.

View component details

Click any component in the System Health page to view its details.

Information about each component instance is displayed in a grid.

Sort the grid by clicking on the header of the column by which you want to sort.

Restore component connectivity

Components may sometimes be disconnected from Privilege Cloud (Connectivity Status = Disconnected).

The most common reasons are:

  • Network issues. First check your network. If there are no issues, check for sync issues.

  • Sync issues. The component is no longer able to authenticate to Privilege Cloud. In this case, you can restore connectivity for the relevant component.

If you are unable to resolve connectivity using the following procedures, contact CyberArk support for further assistance.

Restore connection for CPM

Perform the following procedures.

Step 1: reset the component credentials in the Privilege Cloud Portal

  1. On the local machine, stop the CPM services:

     

    The CPM services are: 

    • CyberArk Central Policy Manager Scanner

    • CyberArk Password Manager

  2. On the System Health page in the Privilege Cloud Portal, Select the component, and then click Restore connectivity.

  3. On the Restore Connectivity page, reset the App User password, and then continue to Step 2: Create/replace the credential file on the local machine.

Step 2: Create/replace the credential file on the local machine

To create a new CPM credential file:

  1. Log on to the CPM server.

  2. From a command prompt, go to the Vault subfolder of the CPM installation folder. By default, this is C:\Program Files (x86)\CyberArk\Password Manager\Vault.

  3. Enter the following command, and use the password that you entered when restoring connectivity to Privilege Cloud:

    For Connector version 11.7 and lower:

      
    CreateCredFile.exe user.ini Password /Username {username} /Password {password} /AppType CPM

    For Connector version 12.1.1 and higher:

      
    CreateCredFile.exe user.ini Password /Username {username} /Password {password} /AppType CPM /EntropyFile /DPAPIMachineProtection

     

     

    • {username} and {password} are placeholders. The default username is PasswordManager.

  4. Start the CPM services.

  5. Make sure that the component appears as connected in the System Health page.

Restore connection for PSM

You cannot restore the connection of the PSM server from the System Health page.

 

You need the assistance of CyberArk support to initiate this procedure. Provide support with information required to access the PSM server for which you want to restore connectivity. Once support is done initiating the process, they will provide you with the password that you need for the following procedure.

Create/replace the credentials file:

  1. Stop the PSM Server service.

  2. In the \CyberArk\PSM\Vault folder, copy all the *.cred and *.ini files and save them in a different location.

  3. Use the CreateCredFile utility to create new credentials files for the PSMApp and PSMGW users.

    1. From a command prompt, go to the Vault subfolder of the PSM installation folder. By default, this is C:\Program Files (x86)\CyberArk\PSM\Vault.

    2. Enter the following command:

      • For the PSMApp user:

          
        CreateCredFile.exe psmapp.cred Password /Username {username} /Password {password} /AppType PSMApp /DPAPIMachineProtection /EntropyFile

      • For the PSMGW user

          
        CreateCredFile.exe psmgw.cred Password /Username {username} /Password {password} /AppType PSMApp /DPAPIMachineProtection /EntropyFile

      • {username} - A placeholder for the PSMApp or PSMGW user name. The value can be found in the psmapp.cred or psmgw.cred file under the Vault subfolder of the PSM installation folder. By default, this is C:\Program Files (x86)\CyberArk\PSM\Vault.

      • {password} - A placeholder for the password you received from support.

       

      • You can find the location of the PSM installation folder in the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CyberArk\CyberArk Privileged Session Manager registry.

      • For enhanced security, add the /ExePath {capsm.exe file path} parameter at the end of the command. The capsm.exe file is located in the PSM installation folder.

    1. From a command prompt, go to the Vault subfolder of the PSM installation folder. By default, this is C:\Program Files (x86)\CyberArk\PSM\Vault.

      Enter the following command:

      • For the PSMApp user:

          
        CreateCredFile.exe psmapp.cred Password /Username {username} /Password {password} /AppType PSMApp /UseOSProtectedStorage Machine

      • For the PSMGW user

          
        CreateCredFile.exe psmgw.cred Password /Username {username} /Password {password} /AppType PSMApp /UseOSProtectedStorage Machine

      • {username} - A placeholder for the PSMApp or PSMGW user name. The value can be found in the psmapp.cred or psmgw.cred file under the Vault subfolder of the PSM installation folder. By default, this is C:\Program Files (x86)\CyberArk\PSM\Vault.

      • {password} - A placeholder for the password you received from support.

       

      • You can find the location of the PSM installation folder in the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CyberArk\CyberArk Privileged Session Manager registry.

      • For enhanced security, add the /ExePath {capsm.exe file path} parameter at the end of the command. The capsm.exe file is located in the PSM installation folder.

  4. Start the PSM service.

  5. Make sure that the component appears as connected in the System Health page.

Restore connection for PSM for SSH

You cannot restore the connection of the PSM for SSH server from the System Health page.

 

You need the assistance of CyberArk support to initiate this procedure. Provide support with information required to access the PSM for SSH server for which you want to restore connectivity. Once support is done initiating the process, they will provide you with the password that you need for the following procedure.

Create/replace the credentials file:

  1. Stop the PSM for SSH service.

  2. Go to the path where the cred files are located.

    For user

    Folder

    • appuser

    • gwuser

    /etc/opt/CARKpsmp/vault

  3. Use the CreateCredFile utility to create new credentials files for appuser and gwuser.

    For user

    Run command

    appuser
      
    ./CreateCredFile psmpappuser.cred Password -Username <appusername> -Password <app_user_password> -OSUsername root -AppType PSMPApp -ExePath /opt/CARKpsmp/bin/psmpserver  -EntropyFile

    gwuser
      
    ./CreateCredFile psmpgwuser.cred Password -Username <gwusername> -Password <gw_user_password> -OSUsername root -AppType PSMPApp -ExePath /opt/CARKpsmp/bin/psmpserver  -EntropyFile

    Run the following command:

      
    CreateCredFile <filename> Password –Username <username> -Password <password>

  4. Start the PSM for SSH service.

  5. Make sure that the component appears as connected in the System Health page.

Troubleshoot Secrets Manager Credential Providers connectivity

If a Credential Providers component appears disconnected, check the following:

  1. You may have a multitude of Credential Providers defined in your environment. Some may have been disconnected on purpose. Check whether the component displayed is actually connected to an installed Credential Providers machine. If it is not, you can delete that user from Privilege Cloud.

  2. Check the AppConsole.log file on the Credential Providers machine that appears disconnected.

Check the log on status of the Credential Providers - Privilege Cloud connection (at the top of the log file). If the log on status is not successful, review the Credential Providers troubleshooting topic to identify the problem and try to resolve it.

If you are unable to resolve the issue yourself, contact CyberArk support.