Privileged Session Manager®

 

CyberArk may choose not to provide maintenance and support services for the CyberArk Privileged Session Manager® with relation to any end-user client machine or target platforms which have reached their formal End-of-Life date, as published by their respective vendors from time to time. For more details, contact your CyberArk support representative.

The Privileged Session Manager® (PSM) is a CyberArk component that enables you to initiate, monitor, and record privileged sessions and usage of administrative and privileged accounts. The PSM does not require a dedicated machine. However, it must be installed on a machine that is accessible to the network.

 

To achieve optimal concurrency it is recommended to install PSM on a dedicated machine.

Supported Operating Systems

PSM can be installed on the following platforms:

  • Windows 2019
     

    Due to RDS licensing enforcement in Windows 2019, a per-user license is no longer supported for local users. We recommend using a per-device RDS license.

    To work with a per-user license on a Windows 2019 machine, PSM users must be moved to the domain level. See PSMConnect and PSMAdminConnect Domain Users for details.

  • Windows 2016 Standard
  • Windows 2012 R2
     
    • For Windows 2012 R2 and Windows 2016, verify that Windows update KB4458842 is installed
    • For Windows 2012 R2, verify that Windows update KB2919355 is installed

Software Requirements

  • Remote Desktop Gateway (optional)
  • Before installing PSM, make sure that the Users group has the Allow Logon Locally Windows permission in the local security policy. This ensures that the PSMShadowUsers group created during PSM installation will have the required permissions. Alternatively, you can set this local security policy permission for the PSMShadowUsers group directly after PSM installation.
  • PSM can be installed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platforms

Minimum system requirements

The minimum requirements for the PSM are as follows:

Platform:

8 core processor (Intel compatible)

Disk space:

80GB free disk space for installation, and additional 80GB space for temporary workspace

Minimum memory:

8 GB

Communication:

TCP/IP connection to the Digital Vault Server

PSM supported connections

PSM supports connections to remote machines using IPv4 and IPv6 addresses with the following platforms out-of-the-box. Additional platforms can be supported and monitored using the PSM Universal Connector. For more information, see Deploy PSM Connectors.

Platform

Additional Information

Unix, Linux and Network for any SSH-based devices

Support using the following protocols:

  • SSH (including file-transfer capabilities)
  • Telnet

Windows RDP (including file-transfer capabilities)

 

 
  • Connections to and from Windows 2003 and earlier Windows versions are not supported.
  • Target Windows servers must not enable the Always prompt for password policy setting.

Windows Remotely Anywhere

 

AS400 (iSeries)

 

OS/390 (Z/OS)

 

Web-based interfaces, client, and custom applications

 

PSM for Databases

PSM can monitor Oracle DBA sessions through the following DBA tools:

  • Toad
  • SQL*Plus

To monitor Oracle DBA sessions, install the following software on the PSM machine:

  • Toad for Oracle Base Edition v10.5.1.3 , v10.6.1.3, v12.x (32 bit), or v13.x (32 bit)
  • Toad Admin Module v10.5.1.3 or 10.6.1.3

PSM can monitor Microsoft SQL Server DBA sessions through the following DBA tools:

  • SQL Server Management Studio 2008,2012, 2016, 16.x, and 17.x

PSM for Virtualization

PSM can monitor VMWare administration session through the following tools:

  • vSphere Client to connect to vSphere / ESX hosts
  • vSphere Client to connect to vCenter

To monitor VMWare administrator sessions, install the following software on the PSM machine:

  • vSphere Client v4.0, v4.1, v5.0, and v6.0
 

vSphere Client does not work on a hardened machine. The VMware vSphere Client is not supported with TLS1.2 on Windows 2016 R2.

Windows 2016 R2 customers can install the HTML5 Web Client and download the VMWare vSphere Web connector from the Marketplace.

Storage requirement for PSM recordings

The Privileged Session Manager stores the session recordings on the Digital Vault server or an external storage device. For details on storing recordings on an external device, see External Storage Device.

The estimated storage requirement is approximately 50-250 KB for each minute of a recording session. The recording size is affected by the type of session recording (console vs. GUI recording) as well as by the type and number of activities that are performed during the session. For details, see Planning capacity.

To more accurately establish a recording size for your session recordings, we recommend checking the size of an average session recording in your customer environment.

CyberArk component compatibility

PSM is compatible with the following CyberArk components:

  • Digital Vault server
  • Password Vault Web Access
  • Privileged Session Manager SSH Proxy
  • CPM

Each version of PSM is compatible with all versions of these components that have not reached the End of Development Date at the time the PSM version was released.

For example, PSM 11.6 was released in August 2020 and is compatible with version 10.5 and higher of these components, but PSM 11.5, which was released in June 2020, is compatible with version 10.4 and higher of these components.

HTML5 Gateway

  • If you are installing the PSM Gateway using an RPM package, the PSM Gateway supports any Web service, such as Tomcat v 8.5 or v 9, that can support Java 1.6 or later and that can support WAR files.

     

    We recommend using Tomcat as your Web service.

  • Hardware specifications

    Small + Mid-range implementation

    (1-50 concurrent RDP/SSH sessions)

    Mid-range + Large implementation

    (51-100 concurrent RDP/SSH sessions)

    Very large implementation

    (101-200 concurrent RDP/SSH sessions)

    • 2 core processors (Intel compatible)
    • 4 GB RAM
    • 4 core processors (Intel compatible)
    • 8 GB RAM
    • 8 core processors (Intel compatible)
    • 16GB RAM
     
    • Tests are based on 40% SSH and 60% RDP concurrent sessions running with full HD resolution.
    • These requirements are based on a dedicated machine for HTML5 Gateway.
  • Files that are transferred during an HTML5 Gateway session are temporarily stored on the HTML5 Gateway machine, so the machine must have enough available storage space. For example, if there will be 20 sessions that transfer files at the same time, and each session will transfer at most 5GB, you need 100GB of available storage.