General settings
This topic describes how to configure the general settings for the Privileged Session Manager.
Overview
In Web Access Options, the General Settings parameters in the Privileged Session Management section define how the PSM will function.
These parameters are divided into the following groups:
| General Setting > Parameter Name | Effects PSM Function | ||||||
|---|---|---|---|---|---|---|---|
|
Search properties |
Define the password and recording properties that will be searched when a search for session recordings is initiated. |
||||||
|
Server settings |
Define the general PSM server settings |
||||||
|
Configure the PSM log files. |
|||||||
|
Session settings |
Define single sessions and the way that PSM handles recordings that cannot be uploaded to the Vault.
|
||||||
|
Recorder settings |
Configure the session recorder |
||||||
|
Connection client settings |
These parameters configure connection clients. |
Search properties
The parameters in SearchProperties define the password and recording properties that will be searched when a search for session recordings is initiated:
|
Parameter |
Description |
|---|---|
|
MaxRecords |
This parameter specifies the maximum number of session recordings that will be included in the Recordings search results. By default, 1000 recordings will be included in the search results. |
|
Recording |
This parameter defines the recording properties that will be searched. |
|
Password |
This parameters define the password properties that will be searched. |
Server settings
The following parameters, in Server Settings, configure PSM server activities:
|
Parameter |
Description |
|---|---|
|
MaxConcurrentTSSessions |
This parameter specifies the maximum number of allowed concurrent PSM sessions. To achieve best performance for user sessions, set a maximum number of concurrent sessions that is appropriate to the size of your PSM implementation. For details about the maximum number of concurrent sessions that is supported for different PSM implementations, |
|
MaxConcurrentUploaders |
This parameter specifies the maximum number of allowed concurrent processes to upload recording files to the Vault. |
|
This parameter specifies the interval in seconds between each configuration refresh process. |
|
| ClearUserProfilesInterval |
The number of days between processes that clear user profiles. Specify '0' (zero) to disable. The default value is 30. |
|
DisableExceptionHandling |
This parameter (under Advanced Settings) determines whether or not a crash dump will be created when a system error occurs. |
|
ShutdownTimeout |
This parameter (under Advanced Settings) specifies the maximum time in seconds to wait for internal jobs to finish when shutting down the server. |
|
For PSM for Windows: When using RADIUS authentication in CyberArk, where the RADIUS server is configured to work with LDAP, this parameter (under Advanced Settings) determines whether or not PSM requires the user to authenticate again after network level authentication (NLA). |
|
|
The default Smart Card authentication is based on PKI with Distinguished Name (DN). This parameter (under Advanced Settings) configures the authentication to be based on PKI with Principal Name (PKI\PN). |
User Profile Settings
As part of the PSM flow, a Shadow user is locally created on the PSM machine for each Vault user.
The Shadow user's profile is limited to protect the PSM machine. When the Shadow user profile exceeds the set threshold the end user receives a warning at the beginning of the session.
PSM automatically cleans the Shadow user profile according to the configured folders on each cleanup interval.
Administrators can configure PSM to remove the shadow users in each interval, using the CleanupFolders parameter.
|
To configure these parameters, add this section in configuration:
When you add this section, you must restart all PSMs in your environment that are version 11.6 or earlier. |
| UserProfileThreshold | |
| Description | The Shadow user profile folder on the PSM machine is limited in size. Set this parameter to define the threshold in MB. When the folder exceeds the threshold, a message is displayed to the user at the beginning of each session. |
| Acceptable Values | Number |
| Default Value | 100 |
| NotificationLevel | |
| Description |
When the Shadow user profile folder exceeds the UserProfileThreshold, the corresponding user's session responds according to the following:
|
| Acceptable Values |
|
| Default Value | Notify |
| NotificationText | |
| Description | The message displayed to the user at the beginning of a session when the Shadow user profile folder on the PSM machine exceeds the UserProfileThreshold. |
| Acceptable Values | String |
| Default Value |
User profile storage space has been exceeded. Please contact your administrator |
| CleanupInterval | |
| Description |
Define an interval (in hours) when all Shadow user profile folders are cleaned. Shadow user profile folders are cleaned when 70% of the UserProfileThreshold is reached. Use '0' to disable cleanup. |
| Acceptable Values | Number representing hours |
| Default Value | 24 |
| CleanupFolders | |
| Description |
The Shadow user profile folders to be cleaned. Use '-' to entirely remove the Shadow User from the PSM machine. |
| Acceptable Values | String |
| Default Value | Desktop, Documents, Downloads, Favorites, Links, Music, Pictures, Saved Games, Videos |
| CleanupProcessTimeout | |
| Description | The timeout (in seconds) for every Shadow user profile folder removal. If the timeout is reached before the folder is deleted, PSM will try to delete the folder at the next CleanupInterval. |
| Acceptable Values | Number |
| Default Value | 120 |
Configure privileged sessions
The following parameters in Session Settings configure privileged sessions:
|
Parameter |
Description |
|---|---|
|
MaxSessionDuration |
This parameter determines the maximum duration of the session, in minutes. This can be specified as a general PSM parameter or in a specific platform. When users log off from the remote Windows machine, the sessions on both the PSM and the remote machine are ended. However, when users disconnect the session by clicking Close or if the MaxSessionDuration parameter has expired, the PSM session is automatically ended, but the session on the remote machine continues running. The next time they log onto the same remote machine through the PSM, they will continue the same session as before. To prevent this, make sure that the Terminal Server is configured to end disconnect sessions after a specific time period. |
|
WarningDisconnectionInterval |
This parameter specifies the number of minutes before the user’s session will be disconnected that a warning message about the disconnection will be displayed. |
|
EndUserMessageTimeout |
The parameter specifies the maximum number of seconds that end user messages will be displayed. |
Upload recorded sessions to the Vault
The following parameters in Session Settings determine how the PSM handles retries when the Vault is not available and recordings cannot be uploaded.
|
Parameter |
Description |
|---|---|
|
DelayBetweenUploadRetries |
This parameter specifies the delay in seconds between upload retries to the Vault. |
|
MaxUploadRetries |
This parameter specifies the maximum number of uploading retries to the Vault. |
Manage recording sessions
The following parameters, in Recorder Settings, define how the PSM will manage recordings:
|
Parameter |
Description |
||
|---|---|---|---|
|
EnableDynamicFramesPerSecond |
This parameter dynamically adjusts the frames per second rate of the PSM video recorder to decrease the performance impact. This may result in reduced quality when playing the recorded videos.
|
||
|
FramesPerSecond |
This parameter specifies number of frames to capture per second. The default value is 3. This parameter is used only when EnableDynamicFramesPerSecond is set to No. |
||
|
LocalRecordingsFolder |
This parameter specifies the name of the local folder where recordings are saved until they are uploaded to the Vault. By default, recordings are temporarily stored in the PSM installation folder.
|
Configure the PSM Log Files
The types of messages included in the PSM log files are determined by the TraceLevels parameters in the Connection Client Settings, as follows:
The PSMTrace.log is configured by the following parameters in Server Settings:
|
Parameter |
Description |
|---|---|
|
LogRotationSize |
This parameter defines the maximum size in MB of the log file before it is rotated to another location, and a new log file is started. |
|
TraceLevels |
This parameter sets the debug level of the PSM Server. |
A new log file is created for each session for the recorder and the connection client. The trace levels for these files are specified in the following parameters:
|
Log |
Description |
|---|---|
|
<SessionID>.Recorder.log |
The <SessionID>.Recorder.log is configured in the Recorder Settings. |
|
<SessionID>.<connection client >.log |
The <SessionID>.<connection client >.log is configured in the Connection Client Settings. |
For more information about logging for the PSM Recorder, refer to PSM activity logs.
Configure PSM server details
The PSM server connection details determine how the PVWA will access the PSM server. You can configure as many PSM servers as you need.
The following parameters in the Configured PSM Servers parameters define the PSM server details:
|
Parameter |
Description |
|---|---|
|
Address |
This parameter specifies the address of the PSM server machine used by passwords associated with the platform that uses this PSM server. |
|
Port |
This parameter specifies the port used to access the PSM Server machine used by passwords associated with the platform that uses this PSM server. |
|
Safe/Folder/Object |
These parameters specify the location where the password of the logon account for the PSM Server is stored, and the Object parameter specifies the name of the password. |
