The following features were introduced or enhanced in Privileged Access Security version 12.2.
This version is designated as Long Term Support, as part of our End of Life policy. Customers who install this version will continue receiving security updates and critical bug fixes per our policy.
For more details, please review our End-of-Life policy.
Featured in this release
As the nature of privilege changes, the separation between privilege and standard access becomes more and more indistinct with remote work, both in on-premises and cloud deployments, . Any person can be highly privileged and, as such, the need to cover all users in the organization is growing.
The solution now supports SCIM (System for Cross-domain Identity Management) and SCIM PAM in order to integrate with Identity Governance and Administration (IGA) solutions, such as SailPoint, as well as cloud directories, such as Azure AD. Integration between PAM and IGA provides a unified view with a centralized policy-based identity management for all identities, including privileged identities (individuals and applications) and access entitlements to ensure access policy and regulatory compliance. This enables you to control and automate the user and privileged data (accounts) life-cycle management including managing containers (Safes), Safe permissions, and privileged data (accounts).
The new and improved integration is offered through the CyberArk Identity service and includes high availability and enhanced performance, as well as reducing the solution's footprint in the customer's environment.
For more information, see Integrate with an IGA platform using SCIM.
This capability can be licensed individually upon request.
This capability will be available with the CyberArk Identity 21.7 release.
Business users enhancements
Organizations managing privileged accounts and access in CyberArk also need a way to provide easy and transparent access to applications for non-privileged (business) users, leveraging the same investment already made in the CyberArk PAM solution. Business users, even though they are not administrators or privileged users, have access to critical data in business applications and require proper credentials protection. On the other hand, such users are non-IT and are less technical, and need to access their applications in the simple and standard way they are accustomed to today.
Customers are already leveraging the CyberArk solution for business users via the Business Users UI to enable their users to store and retrieve personal credentials for business applications from the CyberArk Vault.
Business users are now able to log in seamlessly to web applications directly from the application login pages, leveraging the user friendly capabilities of auto-capture and credentials form-fill when launching such applications from the CyberArk Identity service Browser Extension, User Portal and Mobile App. Users can also remotely access these credentials without needing to connect to their corporate VPN or installing any other agents.
This capability is only available to customers licensed with our Identity Security Packages or CyberArk Identity. This feature can also be licensed individually upon request.
Refer to CyberArk OIDC Trust App to enable this configuration, including migration from existing solutions and to Browser Extension for usage details.
Shared Technology Platform
CyberArk Telemetry tool
In version 12.1 we introduced the Telemetry tool that periodically collects and stores information regarding the usage of CyberArk products by our customers. The data is collected from multiple places, such as licenses, the Vault database, and configuration files.
In this version we are introducing an upgrade process for the tool and expanding the list of collected metrics to include:
Deployed and licensed providers
Counts for secrets retrievals
For more information about installation, see Telemetry.
Primary-DR Vault architecture supports Windows Server 2019
CyberArk Digital Vault is now supported to be installed on the Microsoft Windows Server 2019 Datacenter edition operating system for Primary-DR and Cluster Vault architectures.
German and Japanese editions for Server 2019 are also supported for these architectures.
For more information, please review the updated System Requirements.
Improved PVWA-Vault Logger
Starting from this version we are introducing a new and improved logger to improve and simplify the troubleshooting process.
The new logger enables you to define the log folder, define the log pattern, correlate between the Logic Container logs on the Vault and the PVWA logs to identify the end-to-end flow, and determine failures without the need to enable debug mode explicitly.
The new logger component is powered by the log4net solution, an easy to use, reliable, fast, popular, extensible and open source library, designed to deliver logging data to various configured log targets.
For backward compatibility needs, the new logger is turned on by a new flag in the configuration. By default, the new log file is located in the same logs folder as the existing log, and its default name is BLServiceApp.log.
For more information, see PVWA-Vault logger.
Password Vault Web Access
New Safes user interface
We are excited to introduce our Safes view in the new interface. This new interface introduces simplification and better visibility for our customers, which will help improve the process of managing their Safes.
The new interface includes:
Safes list along with their assigned CPM server and description
Single pane for Safe details, along with its members
Manage permissions of existing Safe members
For more information about Safes, see Safes and Safe members.
Link and unlink accounts in Account Details page
As an ongoing mission to simplify the user experience and transition functionality from the classic interface to the new UI, we have added the ability to create linked accounts. Linked accounts are needed when there is more than one account for the password management process. Users can now select an account to associate as a Linked Account.
Linking and unlinking of accounts can also be done using Linked accounts REST APIs.
ServiceNow Quebec support
Integrating the privileged accounts workflow with ServiceNow Incident Management and Change Management is now supported for the Quebec version.
The ServiceNow integration is now available in the CyberArk Marketplace.
This release includes several improvements in our REST API Web services around the User Management, Safes ,and Accounts areas for easier automation and usage.
The following new APIs were added:
Get Safe details - Retrieves the details of a single Safe
Get Safe member - Retrieves the set of permissions a member has for a Safe
Update Safe member - Updates the set of permissions a member has for a Safe
Delete Safe member - Removes all permissions a member has for a Safe
Update Safe - Updates a Safe's details
We also enhanced the following APIs:
Add account group - We expanded this REST API to add Account Group with Policy Type of Rotational Group in addition to PolicyType of Group. This enables our customers to add Rotational Groups via REST APIs. Rotational group platforms are associated with a group of accounts where the credentials are changed asynchronously. This is beneficial in a dual account deployment.
Get users - Added ability to filter by Username and added sort options
Get groups - Added sort options
PVWA new and unified user interface
As the number of offerings that CyberArk delivers grows, we understand that focusing on the look & feel and user interface, while ensuring consistency and continuity across the CyberArk brand, is a key element for our software.
This release will introduce a clean, modern, and more accessible look and feel for PVWA.
The new design will be aligned with Identity, Remote Access, Endpoint Privilege Management and Cloud Entitlement Manager offerings, and will include:
New look for the application layout
New look for the filters and search in all pages
New and accessible colors contrast and backgrounds
Deprecation of the comfortable and compact view
There are no changes in the classic UI.
System health dashboard includes Business Users and Remote Vendor users count
The system health dashboard now also includes Business Users and Remote Vendor users in the number of active users.
Cloud and Plugins
Manage Google Cloud Platform (GCP) IAM users
We have introduced a new CPM plugin to manage passwords for Google Cloud Platform (GCP) IAM users. The plugin is available in CyberArk Marketplace.
For more information about setting up and configuring this plugin, see Google Cloud Platform (GCP) - Account management plugin.
Manage MS SQL 2019 passwords
MSSQL 2019 database is now officially supported with our existing MSSQL ODBC CPM plugin. This applies to the MSSQL ODBC 13.1 Plugin that is available in CyberArk Marketplace.
Privileged Session Manager
Improved maintenance of PSM servers with automatic clean-up of PSM Shadow users
PSM Shadow users are automatically created during a PSM connection to isolate the session. This enables programs launched on the same server by different Vault users to run under different identities without the risk of information leak between these sessions. During the established session, some information is saved in the Shadow user profile, which may fill up the PSM server's storage.
In this version, we added an ability to limit the folder size of the PSM Shadow user's profile. In addition, a configurable interval-based clean-up mechanism with the ability to specify subfolders is also available. Moreover, automatic deletion of existing PSM shadow user profiles during the clean-up is available as well.
Custom local recordings path per PSM server
During a PSM session, recording files are temporarily saved on the PSM server before they are uploaded to the Vault. Customers who wish to use unique local recording path per PSM can now set them during the installation, allowing greater flexibility when using multiple PSM servers.
Set a global PSM default connection method (RDP file or HTML5)
This release provides the ability to configure the default connection method. Until now, when using HTML5 gateway all connections were established exclusively with HTML5 Gateway and Vault Admins needed to manually set a toggle to work with both connection methods (for example, HTML5 for remote access and RDP file for working within the network). Setting the default connection method when using both RDP file and HTML5 gateway connections simplifies the configuration. It saves the need to manually configure a toggle on all account platforms, and adds the ability to use both connection types as default connection. Now, Vault admins can configure only dedicated platforms to work both with HTML5 connections and RDP file while allowing all other platforms to work with the selected default connection method without having a toggle at all.
PSM security improvements
The WinSCP client that is used in PSM-WinSCP connection component was upgraded to version 5.17.9 for enhanced security.
PSM HTML5 Gateway security improvements
Internal third-party libraries used by the PSM HTML5 Gateway were upgraded for enhanced security.
The HTML5 Gateway CentOS Docker image was upgraded to version 7.9.2009.
Privileged Session Manager for SSH
Improved user experience in PSM for SSH when integrating with Ticketing systems
In this version we added a retry mechanism that enables users to correct and re-enter the ticket ID when it includes invalid control characters, such as backspace or escape. This ensures session continuity and prevents the need to reconnect and initiate a new session to correct the entered Ticket ID. In addition, the retry mechanism is configurable and enables you to set the maximal number of retries.
Privileged Threat Analytics
Automatic deployment of PTA on AWS
This release includes an AMI (Amazon Machine Image) for PTA server and a CloudFormation template that deploys the AMI on an AWS cloud platform. The CloudFormation template is available in Github. This enables a quick and automated deployment for customers leveraging CyberArk threat analytics capabilities on AWS environments.
PTA security improvements
Internal components were upgraded to enhance security and make technological improvements to the operating system and third-party components for the PTA Server and Network Sensor. As part of the upgraded components on the PTA Server, a Mongo DB was upgraded to version 3.6.
CyberArk highly recommends that all CyberArk customers upgrade PTA to the latest version, to ensure that their PTA server is protected.
Secrets Manager - Conjur Enterprise (formerly AAM Dynamic Access Provider)
Eliminate the secret zero problem using a new way to authenticate workloads based on JWT
To secure different DevOps tools and workloads with minimum effort and eliminate the secret zero problem, we have introduced a new JWT-based authenticator. The JWT Authenticator enables any workload that can serve a JSON Web Token (JWT) to authenticate to Conjur. The JWT Authenticator enables you to configure a generic and flexible authentication. The configuration can be customized based on fields in the JWT while complying with the protocol's security standards.
Support for OpenShift 4.7
Version 12.2 is approved for running in OpenShift v4.7. This covers all supported components and configurations of Conjur Enterprise, including Secretless.
Enhanced OpenShift/Kubernetes integration documentation
The documentation for setting up the Conjur-OpenShift/Kubernetes integration is now much easier to follow, using interactive workflow charts to provide the right information for the relevant setup option.
Automation-friendly configuration of trusted proxies
Introduced in release 11.7, Conjur enables load balancers to become trusted proxies, so that client IP addresses behind them are properly identified and audited. In this release, we introduce a new mechanism to configure trusted proxies, which is easier, more reliable, and automation friendly. You can now manage the configuration data externally and feed it to Conjur as part of your automation pipeline. You can choose to use environment variables or mount custom configuration files to the Conjur Docker container.
We plan to use this mechanism in the future for other configuration tasks in Conjur, driving consistency and ease of use.
The Vault installation docs have been reorganized and streamlined for improved readability. Installation procedures are now organized according to the main Vault architectures (Primary-DR and Distributed Vaults). The installation process for each Vault type is documented as a complete end-to-end flow, enabling users to stay within the main topic and eliminating the need to navigate back and forth between linked pages.