Accounts Feed

Configure the accounts feed

Configure Windows discoveries to communicate with the Active Directory using LDAPS.

  1. Make sure that LDAPs is configured on your domain. For details, see Microsoft documentation.

  2. In the CPM/PVWA server Network adapter, add a DNS server address to the server in order to communicate with the Active Directory domain.

  3. Install the domain certificates:
    1. On the CPM machine, install the domain certificate in the trusted root certificates

    2. On the PVWA machine, install the domain certificate in the trusted root certificates.

     

    To import the domain controller's certificate into the machine's certificate store, use any procedure that you normally use to import the SSL certificates to the machine's certificate store

  1. On the CPM/PVWA server, make sure that port 636 is open for secure communication to the Active Directory domain.

  2. In the PVWA, create Windows discoveries as described in Manage Discovery Processes. Make sure that Connect to the Active Directory using a secure connection is selected.

  3. To check that LDAPS is configured and activated, click Browse; if LDAPS is activated, the Active Directory window is displayed and you can select the OU to scan.

 

Discoveries that have already been created in previous versions of the Privileged Access Manager - Self-Hosted solution will use LDAP by default. To configure these discoveries for LDAPS, recreate the discovery.

Configure the CPM Scanner

Configure the CPM Scanner in the CACPMScanner.exe.config file, located in:

<CPM installation folder>/Scanner

You can edit parameters that define the connection to the Vault, CPM Scanner filters, logs, and optimization.

For details on these parameters, see CPM scanner parameters file (CACPMScanner.exe.config).

Customize the Pending Accounts grid

The following parameter, in the PendingAccounts parameters of the Web Access Options, under the Displayed Columns node, enables you to display and hide columns in the Pending Accounts page that are not displayed by default.

Parameter

Description

Visible

Defines whether or not users can display or hide the following columns:

Password last set
Last login date
Account groups
Discovered by
Account state
Password never expires
Fingerprint
Organizational unit
Domain
UID
GID
KeyEncryption
Format
Length
Account expiration date
Path
Trust
 

Unix/Linux-specific configuration

When scanning Unix/Linux devices, the CPM scanner uses various parameters in theUnixPrompts.ini configuration file. This file is located in the CPM scanner installation folder (by default: C:\Program Files (x86)\Cyberark\Password Manager\Scanner), the same directory as the CACPMScanner.exe, and can be customized according to the Unix\Linux machine's specific configuration.

You can configure the following parameters in the UnixPrompts.ini file:

Parameter

Description

LoginPassword

A regular expression that matches a password request by the login process.

SudoPassword

A regular expression that matches a password request by a Unix/Linux system when using sudo. The CPM scanner uses this regular expression to match the request in order to run commands using sudo.

SudoError

A regular expression that matches an error received when commands are run using sudo. The CPM scanner uses this regular expression to match the sudo errors.

The following parameters enable the CPM scanner to support Unix/Linux flavors for which the required files are located in non-standard folders. If the CPM scanner does not find a file in the default path, it uses the relevant path parameter to search for it.

Specify the parameters in the table below in the Paths section of the UnixPrompts.ini file. In each parameter, specify the full path, including the file name, as shown in the following example:

  
[Paths]
sudoerPath=/usr/local/etc/sudoers

Separate multiple paths with a semicolon (;).

Parameter

Description

passwdPath

A list of paths to the possible location of the passwd file.

groupPath

A list of paths to the possible location of the group file.

shadowPath

A list of paths to the possible location of the shadow file.

sudoerPath

A list of paths to the possible location of the sudoers file.

Configure the onboarding process

The following parameter, in the Accounts Feed parameters of the Web Access Options, prevents dependencies that could be potentially non-legitimate or malicious from being automatically onboarded by the system. You can configure the workflow so that any newly detected dependencies associated to domain accounts will need to be approved, including the account.

Parameter

Description

OnboardNewDependencyAsDisabled

Defines whether to enable or disable this workflow. You can enable the dependencies and the account manually after the new dependencies have been onboarded. This behavior applies for domain accounts only. Dependencies associated to local accounts will be onboarded as enabled for CPM management.

Acceptable Values:

  • Yes - When new dependencies are detected associated to an account that was already onboarded, these dependencies and their account will be automatically onboarded as disabled for automatic CPM management. This is the default value. For details, seeDisable Automatic Account Management.

  • No – Newly detected dependencies will always be onboarded as enabled for automatic CPM Management.

Manage the accounts feed

The CyberArk Central Policy Manager Scanner service scans machines and discovers privileged accounts and their dependencies. A scanner is installed with each CPM so that you can scan all distributed networks in your organization. For details about managing the CyberArk Central Policy Manager Scanner service, see Accounts Feed.

You can manage the discovery processes, view the results and onboard accounts in the PVWA.

Parameter

Description

ShowAccountsDiscovery

Whether or not a link to the Accounts Discovery page is displayed in the Accounts page. By default, this parameter is enabled.

This parameter is in the PVWA General Options parameters.

Stop/Start the CPM Scanner

The CPM Scanner service is installed on the CPM machine automatically during the CPM installation.

When you are not working with the Accounts Feed you can disable the scanning functionality to reduce the workload on the Vault in complex environments.

Stop the CPM Scanner service:

  1. On the CPM machine, from the Start menu, select Settings, then Control Panel.

  2. From the list of Control Panel options, select Administrative Tools, then Services; the Services window appears.

  3. Stop the CyberArk Central Policy Manager Scanner service.

Start the CPM Scanner service:

  1. On the CPM machine, from the Start menu, select Settings, then Control Panel.

  2. From the list of Control Panel options, select Administrative Tools, then Services; the Services window appears.

  3. Start the CyberArk Central Policy Manager Scanner service.

CPM Scanner logs

All activities that are carried out by the CPM Scanner service are written in log files and stored in subfolders of the Password Manager installation folder.

The following log files contain the activities of the CPM Scanner.

File

Description

CACPMScanner.log

Contains informational messages and errors that refer to CPM Scanner function. This log is meant for the system administrator who needs to monitor the status of the CPM Scanner. This log file is stored in the Logs subfolder of the Password Manager installation folder.

Once the log size reaches 200MB, it is moved to an archive folder. By default, the folder is found at C:\Program Files (x86)\CyberArk\Password Manager\Logs\Archive.

DNAConsole.log

Indicates when the discovery process began and information about any general errors that occurred. This log file is stored in the Scanner\Log subfolder of the Password Manager installation folder.

DNATrace-<timestamp>-PM.log

Contains detailed information about each scan. The timestamp represents the date and time when the discovery process started. This log file is stored in the Scanner\Log subfolder of the Password Manager installation folder.

Activities carried out in discoveries that were not completed successfully are stored in a specific discovery log and can be viewed in the Discovery Management page. For details, see Manage Discovery Processes.