External Storage Device

You can store PSM video and text recordings outside of the vault, in an external storage device.

How it works

You can configure a PSM to store recording files in the Vault or in an external storage. Recordings from multiple PSM servers can use the same storage architecture.

When configured to work with an external storage, a PSM uploads the video recording file and the text recording file to an external storage device when a session ends. The session file that captures the meta data for the session recording is saved in the Vault specifically, in the recording safe configured for the account's platform. The StorageLocation File Category in the session file specifies the recording file's external storage location.

To upload a recording file, the PSM connects to the storage device and authenticates using the internal upload-user's credentials stored in the Vault. The recording files are uploaded using the SMB protocol.

When an Auditor wants to review a session's recording in the PVWA, the PVWA authenticates to the storage device using the internal download-user's credentials, and streams or downloads the files using the SMB protocol.

Auditors can access session recordings from the PVWA using the same permissions as in previous versions. While the video recording file and the text recording file is stored in the external storage, the session file is stored in the recoding safe in the Vault. An Auditor requires authorization for the recording safe in which the session file is stored.

For permission details, see Permissions.

Set up an external storage device

Device requirements

You can use any storage device that complies with the following secured storage requirements:

Requirement	Description
Secure Communication And Authentication	The storage must support the SMB 3.0 protocol. It is recommended to apply the following requirements to benefit from SMB mutual authentication support (Kerberos Protocol): Use the external storage host name, NOT the external storage IP address, when configuring the addresses of the privileged accounts of the internal Upload-user and Download-user. For details, see Create a privileged account to upload files to the storage device Create a privileged account to download files from the storage device The external Storage should be in the same Domain as the PSM and the PVWA, or in another domain in the same tree which has a two-way trust relationship with the PSM and PVWA domain.
Storage-level Tampering Protection	Enable only authorized users, such as CyberArk systems and maintenance users, to access the storage. It is recommended to protect the storage maintenance users' credentials in the Vault. Where possible, ensure that all access to the storage is performed through the PSM, using a built-in connection component or by creating a custom Universal Connector connection component. It is recommended to protect the storage with disk encryption\ file system encryption (such as BitLocker) to provide protection at rest.
File Sharing Support	The storage device should provide data access to a group of hosts and be accessible for multiple read and write operations simultaneously, such as a file server or network-attached storage (NAS).

Requirement

Description

Secure Communication And Authentication

The storage must support the SMB 3.0 protocol.

It is recommended to apply the following requirements to benefit from SMB mutual authentication support (Kerberos Protocol):

Use the external storage host name, NOT the external storage IP address, when configuring the addresses of the privileged accounts of the internal Upload-user and Download-user.

For details, see
- Create a privileged account to upload files to the storage device
- Create a privileged account to download files from the storage device
The external Storage should be in the same Domain as the PSM and the PVWA, or in another domain in the same tree which has a two-way trust relationship with the PSM and PVWA domain.

Storage-level Tampering Protection

Enable only authorized users, such as CyberArk systems and maintenance users, to access the storage.

It is recommended to protect the storage maintenance users' credentials in the Vault. Where possible, ensure that all access to the storage is performed through the PSM, using a built-in connection component or by creating a custom Universal Connector connection component.

It is recommended to protect the storage with disk encryption\ file system encryption (such as BitLocker) to provide protection at rest.

File Sharing Support

The storage device should provide data access to a group of hosts and be accessible for multiple read and write operations simultaneously, such as a file server or network-attached storage (NAS).

Create designated users on the storage device to upload and download files

The PSM and PVWA both require designated users on the storage device to upload and download recording files. Configure one user on the storage device to upload files and another user to download files, each with the appropriate permissions. These users can be either local or domain users.

If you are managing those users through CPM, you must use a local user.

Define a shared location

Define a shared storage location on the storage device where the recording files are stored. Make sure the upload and download users have access to this share.

Configure PSM to use an external storage device

This section describes how to configure the PSM to store recording files in an external storage device

Configure the PSM to store recordings in an external storage device

Edit the Basic_psm.ini file to configure which storage device a PSM uses to store recordings. By default, the path to this file is C:\Program Files (x86)\CyberArk\PSM.

Add the shared storage location on the storage device where the recording files are stored in the StorageRecordingsFolder parameter:

StorageRecordingsFolder="<Shared Folder>"

StorageRecordingsFolder="Recordings"

Add a storage object that uniquely identifies the password objects used by PSM to upload recordings to the storage device and by PVWA to download recordings from the storage device:

 StorageObject="<Storage identifier>".

StorageObject="Storage1"

Save the Basic_psm.ini and close.
Restart the PSM service.

Create a privileged account to upload files to the storage device

In the Accounts page, click Add Account.

Enter the following:

UI Element

Value

Safe

PSM

Device

Operating System

Platform Name

Windows Server Local Accounts

Address

Computer Name or IP of the storage device.

For Microsoft network providers on Windows Vista and later, the address can contain an IPv6 address. However, the IPv6 literal format must be used.

Replace each ':' with '-' followed by the ".ipv6-literal.net" string.

Username

specify the username of the designated storage user that uploads files to the external storage device

Logon to

Specify the domain name of the designated storage user that uploads files to the external storage device. If it is a local user, specify the computer name or address.

Password

Enter the password of the designated storage user that uploads files to the external storage device.

Name

Select Custom.

Enter a name for the account using the following naming convention:

<Storage Object value>Upload

Storage1Upload

You can also add accounts using the Add Account Web service.

Create a privileged account to download files from the storage device

In the Accounts page, click Add Account

Enter the following information: