Before you install PSM for SSH
Before you run the PSM for SSH setup, perform the following procedures.
The PSM for SSH machine must have SSHD 7.8 or later version to support the following features:
Smart card authentication methods
By default, Red Hat Enterprise Linux 8 includes OpenSSH v7.8, which supports the above features, while Red Hat Enterprise Linux 7 includes OpenSSH v7.4 which does not.
Verify public access
Verify that outbound traffic from the PSM for SSH server is always routed through the same public-facing IP.
Verify the operating system
Make sure that the operating system is supported. For details, see Supported Operating Systems.
Verify the installation package digital signature
The RPM installation packages for Red Hat operating systems are digitally signed, to protect them from alteration after publication.
To verify the digital signature of an RPM package:
Import the RPM-GPG-KEY-CyberArk public key that is provided with the installation package, by running the following command:
rpm --import RPM-GPG-KEY-CyberArk
Verify the signature of the RPM package, by running the following command:
rpm -K -v <package_name.rpm>
From the Privilege Cloud software package that you downloaded in Prepare your machine, copy the PSM for SSH installation zip file(s) to an installation folder on your PSM for SSHserver. Select the file that is relevant to your Linux environment, for either RHELinux8 or RHELinux.
Unzip the installation package. The folder and its subfolders are extracted.
Disable the antivirus agent if it is installed on your server.
This file is required for the installation process.
To create the file:
Move psmpparms.sample, from the installation package, to the /var/tmp directory and rename it to psmpparms.
mv psmpparms.sample /var/tmp/psmpparms
In the /var/tmp/ directory, open the psmpparms configuration file:
Specify the following mandatory parameters:
Parameter Description InstallationFolder
The full path of the installation folder that you created in Prepare the installation environment, and to where you copied the content of the PSM for SSH installation package.
Enter the value Integrated.
Whether or not you accept all the terms of the PSM for SSH end user license agreement. This agreement is in the installation package.
Open this agreement and read it carefully, then set this parameter to Yes.
Note: You must accept this agreement in order for the installation to complete.
Whether or not the PSM for SSH hardening settings will be applied.
Optionally when installing an additional PSM for SSH, when on the same host with the same hostname, specify the following parameters:
Change the default app user name to a unique user name that differs from the first PSM for SSH.
Change the default Gateway user name to a unique user name that differs from the first PSM for SSH.
Create a credentials file according to the following steps. The resulting file is to be used by the PSM for SSH installation script to authenticate to Privilege Cloud.
To learn more about the CredFile utility, see CreateCredFile utility.
To create the credentials file:
If required, add the execute permission by running the following command:
chmod 755 CreateCredFile
Create a file called user.cred
by running one of the following commands:.
Enter the following command:
At the prompt enter your user name and password
, and use the Entropy file.
If the CredFile already exists, the current user name appears as default.
Rotate the password used in the above command.
It is recommended to clean history using
The user credential file must be placed in a folder that is accessible only for the machine or domain administrator who runs the PSM for SSH installation. We highly recommend that you delete the credential file after completing the registration.
Configure the vault.ini file
The vault.ini file contains the parameters for connecting PSM for SSH to Privilege Cloud. It is used during the PSM for SSH set up process.
To configure the file:
Open the vault.ini file for editing.
- Set the Address parameter to the Privilege Cloud IP address (provided to you by CyberArk support).
On all Linux-based operating systems, NSCD is a daemon that provides a cache for the most common name service requests. Disable it to prevent unexpected behavior.
Run the following command to stop NSCD:
systemctl stop nscd.service nscd.socket
Run the following command to disable NSCD:
systemctl disable nscd.service nscd.socket
Some unexpected behavior may occur if you do not disable NSCD. For details, see Using NSCD with SSSD.
Enable SELinux on the PSM for SSH server (optional)
PSM for SSH can be installed in environments where SELinux is enabled. We recommend enabling the server before installing PSM for SSH so that the changes required to support SELinux are made automatically during installation. To enable SELinux after installation, see Enable SELinux on the PSM for SSH server.
Next step: Run the PSM for SSH setup