PSM for Databases

The PSM can be extended to manage database privileged sessions by installing and configuring connection clients.

This process comprises several steps, as shown in the following diagram and as explained in more detail below.

psm installation config.png

Supported database clients

To connect to Oracle databases, you need one of the following clients:

TOAD 10.5.1.3 and 10.6.1.3 and 12.10 (32bit)
SQLPlus (x64 – 11.2.0.0.1, x86 – 11.2.0.1.0)

To connect to with Microsoft SQL Server databases:

SQL Server Management Studio 2008, 2012, 2016, 16.x, 17.x

Installation and configuration workflow

Do the following tasks to set up PSM for either an Oracle or Microsoft database:

Database Task

How to

Oracle

 

 

 

 

 

Install the 3rd party connection client

Install Oracle Database Administration Tools

Configure the AppLocker

Configure the AppLocker for Oracle

Configure the PSM connection component

Configure the PSM Connection Component for Oracle

Microsoft

 

 

Install the 3rd party connection client

Install Microsoft SQL Server Database Administration Tools

Configure the AppLocker

Configure the AppLocker for MS SQL

Configure the PSM connection component

PSM for Databases

Install Oracle Database Administration Tools

On the PSM machine, install the relevant Oracle Database Administration Tool:

Oracle Client and SQLPlus

The Oracle Instant Client and SQLPlus are installed automatically during the PSM installation. No additional installation is required.

Toad

Toad for Oracle can be obtained from Quest software (http://www.quest.com/toad-for-oracle/).For details on installing and configuring Toad, seeToad installation.

Configure the AppLocker for Oracle

Configure the AppLocker to permit SQL*Plus and Toad tools to run on the PSM server.

The PSM AppLocker configuration is saved in the PSMConfigureAppLocker.xml configuration file and must be edited manually before you run the configuration script.

1. Remove the read-only permissions from the PSMConfigureAppLocker.xml file.
2. In the Hardening subfolder of the PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit it as described in the next steps.
3. In the AllowedApplications section, remove the comment indication from the Oracle connection clients section:
a. At the beginning of the Oracle connection clients section, remove the following line:

<!-- If relevant, uncomment this part after installing Oracle client and Toad.

b. At the end of the Oracle connection clients section, remove the following line:

End of oracle connections comment -->

4. Make sure that the paths that are specified in the PSMConfigureAppLocker.xml match the installation paths of SQL*Plus and Toad.
5. Save the PSMConfigureAppLocker.xml configuration file and close it.
6. Open a PowerShell window, then use the following commands to start the script:

CD “C:\Program Files (x86)\CyberArk\PSM\Hardening” PSMConfigureAppLocker.ps1

Configure the PSM Connection Component for Oracle

1. In the PVWA, click ADMINISTRATION to display the System Configuration page, then click Options; the main system configuration editor appears.
2. Expand the Connection Components section.
3. Configure the PSM connection component for SQL*Plus.
a. Expand the PSM-SQLPlus configurations. By default, this connection component is configured with the installation path of SQL*Plus.
b. In Target Settings, make sure that the path specified in the ClientApp parameter specifies the path of the SQLplus.exe file.

4. Configure the PSM connection component for Toad.
a. Expand the PSM-TOAD configurations. By default, this connection component is configured with the installation path of the Toad tool.
b. In Target Settings, make sure that the path specified in the ClientApp parameter specifies the path of the Toad.exe file.

For more information about specific parameters, refer to the Privileged Access Security Implementation Guide.

Install Microsoft SQL Server Database Administration Tools

On the PSM machine, install the Microsoft SQL Server Database Administration Tool.

SQL Server Management Studio can be obtained from the Microsoft website.

Configure the AppLocker for MS SQL

The PSM AppLocker configuration is saved in the PSMConfigureAppLocker.xml configuration file and must be edited manually before you run the configuration script.

  1. Remove the read-only permissions from the PSMConfigureAppLocker.xml file.
  2. In the Hardening subfolder of the PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit it as described in the next steps.
  3. Configure the AppLocker to permit SQL Server Management Studio to run on the PSM server.

    1. Modify the SQL Server Management Studio <version> processes section:

      SQL Server Management Studio Version

      Add

      2008

      <Application Name="SSMS2008" Type="Exe" Path="C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe" Method="Publisher" />

      2012

      <Application Name="SSMS2012" Type="Exe" Path="C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\Ssms.exe" Method="Publisher" />

      2016

      <Application Name="SSMS2016" Type="Exe" Path="C:\Program Files (x86)\Microsoft SQL Server\130\Tools\Binn\ManagementStudio\Ssms.exe" Method="Publisher" />

      2017

      <Application Name="SSMS2017" Type="Exe" Path="C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio\Ssms.exe" Method="Publisher" />
    2. Make sure that the paths specified in the PSMConfigureAppLocker.xml match the installation paths of SQL Server Management Studio.

    3. Save the PSMConfigureAppLocker.xml configuration file and close it.

  4. Open a PowerShell window, and use the following command to start the script:

     
    CD “C:\Program Files (x86)\CyberArk\PSM\Hardening” PSMConfigureAppLocker.ps1

    For more information about configuring PSM machine to allow PowerShell scripts to run, refer to Advanced PSM Implementations.

Known Issues

  • This connection client only supports local database users, and does not support domain users for connecting to the database.

  • Double quotation signs (") in passwords are not supported.

  • Since SSMS.exe doesn't support the double quotation (") character as part of a password, the PVWA does not support it either. Add the double quotation (") character as a forbidden character in the CPM.

  • Open Object Explorer without specifying the database password.

  • By default, when opening SQL Server Management Studio, two windows are created – Editor and Object Explorer. The Object Explorer window requires credentials.

    WorkAround: When the editor window is in focus, press ALT+Q+O; the Object Explorer window will be auto-authenticated.

Toad installation

Before you install Toad, do the following:

Enable .NET Framework 3.5 SP1– Make sure that theApplication Serverrole is enabled on the PSM machine.

 

The Oracle Instant Client must be installed before installing Toad. It is installed during the PSM installation.

After you install toad, do the following:

Log in to the PSM machine with a user who has Administrative Rights, and run Toad to perform the initial setup.

During this initial setup, do the following:

  • Input the Toad license key
  • Enable the Toad license for all users:

For this license to be used for the PSM, copy theProductLicenses.xmlconfiguration file from the administrator directory.

Copy from

Copy to

Application Data\Quest Softwaredirectory (the default directory is C:\Users\Administrator\AppData\Local\Quest Software)

Default\Application Data\Quest Softwaredirectory (the default directory is C:\Users\Default\AppData\Local\Quest Software). If this directory does not exist, create it.

 
TruePrivileged Access Security11.2