Check Privilege Cloud Connector functionality

This topic presents verification steps following the installation or upgrade of the Privilege Cloud Connector.

Perform Privilege Cloud Connector functionality checks

1

Check CPM functionality and verify an account password

  1. Ensure you have the permission to Initiate CPM account management operations, described in Permissions.

  2. In the Accounts View page, onboard an account. See Scan for accounts using Account Discovery.

  3. Access the account's Overview tab and in the Last Verified section, click Verify.

    A message is displayed indicating that the account is marked for verification.

    The CPM verifies the account during the next password management cycle. When the account is verified, the compliance status is updated.

2

Check PSM functionality

Check the Connector machine and set up an RDP connection to a target machine:

  1. On the Connector machine, open the Services screen and ensure CyberArk Privileged Session Manager is running.

  2. Set up an RDP connection to a target machine that was accessible before the upgrade. See Connect using RDP.

3

Check system health dashboard

Access Privilege Cloud Portal, familiarize yourself with the system monitor dashboard, and check the status of your Privilege Cloud components.

Learn to monitor your system health.

Troubleshoot PSM connector functionality

In the event that any of the PSM connectors are not functioning properly, ensure that the relevant executables are included in the PSMConfigureApplocker.xml file.

Beginning in Connector version 12.1.7, DLL files are allowed only if they are uploaded by the approved executables included in the PSMConfigureApplocker.xml file. The PSMConfigureApplocker script automatically finds the relevant DLL files and adds a corresponding Applocker rule for these DLLs. However, we recommend that you verify that all PSM connectors are working properly after the upgrade. If any of the PSM connectors fail due to blocked DLL files, run the executable to Detect blocked DLL files.

  • If you are using a third-party application that deploys DLL files in unexpected locations, you must verify that no vulnerable DLL files were found in the executable dependencies and added to the allowed Applocker rules by the script.

    • Open the Local Security Policy (secpol.msc).

    • Select Application Control Policies > AppLocker >DLL rules.

      • On the right pane, select the PSMShdowUsers deny rule that has exceptions.

      • In the Deny properties window, go to the Exceptions tab.

      • Review the list of allowed DLLs and verify that they are all valid DLLs.

    • Detect blocked DLL files

    Any changes or additions you make to the default configurations of the AppLocker file may affect the security of your environment and are beyond CyberArk’s control. It is your responsibility to verify these changes are in line with your organization's security policies.

    If a connector fails, run the executable related to this connector and rerun the AppLocker script. .

    If the connector is still blocked, do the following:

    1. Open the Windows Event viewer.

    2. Go to Applications and Services Logs\Microsoft\Windows\Applocker\EXE and DLL.

    3. In the left page, right-click EXE and DLL and select clear log…. Select Save and clear to back up the logged events.

    4. Initiate a connection with the relevant connection through the Privilege Cloud Portal.

    5. Go back to Applications and Services Logs\Microsoft\Windows\Applocker\EXE and DLL.

    6. in the left pane, right-click EXE and DLL and click refresh.

    7. In the right pane, click Filter Current Log… and under Event Level only select Error and click OK.

    8. Filter for Error 8004.

    9. For each blocked dll error found, add a relevant line to the PSMConfigureAppLocker.xml under AllowedApplications in the dll section.

      1. Convert the AppLocker path into an absolute path based on the Microsoft documentation.

        For example, if the AppLocker path is %OSDRIVE%\ORACLE\INSTANTCLIENT\OCI.DLL, replace %OSDRIVE% with %SystemDrive%, a Windows environment variable. The new path will be %SystemDrive%\ORACLE\INSTANTCLIENT\OCI.DLL.

      2. Open PowerShell, type in the following command, and press Enter:

        [System.Environment]::ExpandEnvironmentVariables("<Converted Full Path Of DLL>")

      3. Using the absolute path returned from the previous step (in our example, ORACLE\INSTANTCLIENT\OCI.DLL), add the new dll exception under AllowedApplications. The method should be Hash, but can also be Publisher or Path.

        <Libraries Name="UniqueName" Type="Dll" Path="<DLL Absolute Full Path>" Method="Hash" />

      4. To run the PSMConfigureAppLocker.ps1 script, open a PowerShell window and run the following command:

        “<PSM installation folder>\Hardening\PSMConfigureAppLocker.ps1”

    Repeat the process (steps 1-9) until the connector works properly.