PSM wizard installation
This section describes how to manually install the Privileged Session Manager on a server and register it in the Vault.
Run the standard install
PSM installation runs the hardening steps by default, including PSMConfigureApplocker. Ensure that the PSMConfigureApplocker.xml file is updated before you continue.
You can always re-run the PSMConfigureApplocker script at a later stage. For details, see Hardening.
Log on as a domain user who is a member of the local administrators group.
Create a new folder on the PSM server machine. From the installation CD, copy the contents of the Privileged Session Manager folder to your new folder .
Display the contents of the Privileged Session Manager folder.
Start the installation procedure:
Double-click Setup.exe or,
On systems that are UAC-enabled, right-click Setup.exethen select Run as Administrator.
The PSM installation wizard appears and displays a list of prerequisites that are installed before the PSM installation continues.
Click Install to begin the installation process; the installation process begins and the Setup window appears.
You can exit installation at any time by clicking Cancel. You can return to the previous installation window by clicking Back, where applicable.
Click Next to view the CyberArk license and accept the terms of the License Agreement.
Read the license agreement, then click Yes to accept its terms.
On the Customer Information window, enter your name and your Company name in the appropriate fields, then click Next.
On the Destination Location window, click Next to accept the default location provided by the installation
, or click Change and select another location.
On the Recordings Folder window, click Next to accept the default recordings folder provided by the installation
, or click Change and select another location.
- The Recordings Folder may require a large amount of disk space, depending on the number of recordings that are stored there before being uploaded into the Vault.
- Take into consideration that, by default, the recordings folder is on the System disk under Program Files and you may want to change it to a different location.
If you install multiple PSMs in the same Vault environment, verify that each PSM has the same path to the Recordings folder.
On the Password Vault Web Access Environment window, click Next to accept the default name of the PVWA Configuration Safe provided by the installation
, or specify the name of another Safe name that is used as the PVWA Configuration Safe.
Click Next; the installation automatically installs the Oracle Instant Client, then displays the Vault's Connection Details window.
Specify the IP or DNS address and the port number of the Digital Vault, then clickNext.
Skip this step if you want to register the Vault later or if the PSM is already registered. For details, see Install the PSM server in stages.
On the Vault's Username and Password Details window, specify the username and password of the Vault user carrying out this installation, then click Next .
- It is recommended to use the Vault administrator user for this installation as this user has the appropriate Vault authorizations and is created in the appropriate location in the Vault hierarchy.
- If you install multiple PSMs in the same Vault environment, you must install all PSMs with the same Vault user
If a previous PSM has been installed on this machine and a PSM was created, the following message will appear:
This is an informative message. Click OK to continue installation.
On the API Gateway Connection Details window, enter the protocol and hostname of the PVWA where the PSM connects to the API Gateway, then click Next. This information is used to generate an endpoint for API calls (<protocol>://<Host>/passwordvault/api).
This window is for use in a Distributed Vaults environment and to automatically unlock accounts.
The PSM machine must have trusted communication to the PVWA machine.
Port 443 between the PSM the PVWA machines must be open.
On the PKI authentication configuration window, select the checkbox to enable smart card authentication, then click Next.
- Do not enable this setting if PKI Authentication is not used in your organization.
- If you do not enable this setting during installation and want to enable PKI authentication for PSM, follow the instructions in During PSM installation.
On the Hardening window, click Advanced to customize the post installation and hardening processes, or click Next to perform the standard post installation and hardening processes and display the Setup Complete window.
If you clicked Advanced, select the post installation and hardening processes that the installation will run, then click Next to display the Setup Complete window.
Click Finish to complete the Privileged Session Manager installation.
- Restart the PSM server.
You can also restart the PSM server at a later stage.
On the PVWA machine, run iisreset,
Wait for the PVWA refresh configuration interval to pass.
Install the PSM server in stages
This enables you to install PSM for any of the following scenarios:
You do not have Vault credentials
The Vault is not activated
The Vault is not installed
Using the Registration tool , the Vault administrator can register the PSM server to the Vault either before or after the PSM server installation.
To install PSM in stages:
Follow the Run the standard install procedure.
If you are installing PSM for a Manager Service Provider customer, see PSM wizard installation.
Skip steps 10 - 12. These steps register the PSM server to the Vault.
- Use the Registration tool to register the PSM server to the Vault.
Follow the instructions in Registration to register the PSM server to the Vault.
Activate the Privileged Session Manager server
To activate PSM:
If you did not use the default recordings folder provided by the installation , you will need to update the path to the recordings folder.
Go to PVWA > ADMINISTRATION > Options > Privileged Session Management > General settings > Recorder settings. Update the value of the recordings folder path on the PSM machine.
You need to manually start the CyberArk Privileged Session Manager Service:
- Go to Start> Settings > Control Panel.
- Select Administrative Tools > Services.
- Right-click CyberArk Privileged Session Manager.
- Select Start.