Privileged Session Management

These parameters define the PSM/PSM for SSH settings.

General Settings

These parameters define Global PSM/PSM for SSHsettings.

Search Properties

These parameters define the properties that will be searched when searching for session recordings.

MaxRecords
Description The maximum number of session recordings that will be included in the Recordings search results.
Acceptable Values Number
Default Value 1000

Recording

Name
Description The name of the property to use when searching for a recording.
Acceptable Values  
Default Value  

Password

Name
Description The name of the property to use when searching for a recording.
Acceptable Values

 
Default Value

 

Server Settings

MaxConcurrentTSSessions
Description The maximum number of allowed concurrent PSM sessions. To achieve best performance for user sessions, set a maximum number of concurrent sessions that is appropriate to the size of your PSM implementation.
Acceptable Values Number
Default Value 100
MaxConcurrentUploaders
Description The maximum number of allowed concurrent processes to upload recording files.
Acceptable Values Number
Default Value 5
ConfigurationRefreshInterval
Description The interval in seconds between each configuration refresh process.
Acceptable Values Number
Default Value

600
LogRotationSize
Description The maximum size in MB of the log file before it is rotated to another location, and a new log file is started.
Acceptable Values Number
Default Value 25
PurgeLogsThreshold
Description The number of days until old log files are automatically deleted. Value with zero to disable the automatic log deletion.
Acceptable Values Number
Default Value 0
TraceLevels
Description Sets the debug level of the PSM server.
Acceptable Values Number
Default Value 0

User Profile Settings

Parameter

Description

UserProfileThreshold

The Shadow user profile folder on the PSM machine is limited in size. Set this parameter to define the threshold in MB. When the folder exceeds the threshold, a message is displayed to the user at the beginning of each session.

Default: 100

NotificationLevel

When the Shadow user profile folder exceeds the UserProfileThreshold, the corresponding user's session responds according to the following:

  • Notify - A message is displayed to the user at the beginning of the session

  • Terminate - A message is displayed to the user at the beginning of the session and the session is terminated

  • Off - The Shadow user profile folder is not examined at the beginning of the session and there is no notification

Default: Notify

NotificationText

Default Value Notify
NotificationText
Description The message displayed to the user at the beginning of a session when the Shadow user profile folder on the PSM machine exceeds the UserProfileThreshold.
Acceptable Values String
Default Value

User profile storage space has been exceeded. Please contact your administrator
CleanupInterval
Description

Define an interval (in hours) when all Shadow user profile folders are cleaned. Shadow user profile folders are cleaned when 70% of the UserProfileThreshold is reached.

Use '0' to disable cleanup.

Use '0' to disable cleanup.

Default: 24

CleanupFolders

The Shadow user profile folders to be cleaned.

Use '-' to entirely remove the Shadow User from the PSM machine.

Default: Desktop, Documents, Downloads, Favorites, Links, Music, Pictures, Saved Games, Videos

CleanupProcessTimeout

The timeout (in seconds) for every Shadow user profile folder removal. If the timeout is reached before the folder is deleted, PSM will try to delete the folder at the next CleanupInterval.

Default: 120

Advanced Settings

DisableExceptionHandling
Description Whether or not a crash dump will be created when a system error occurs.
Acceptable Values Yes/No
Default Value No
ShutdownTimeout
Description The maximum time in seconds to wait for internal jobs to finish when shutting down the server.
Acceptable Values Number
Default Value 60
EnableRadiusAuthWithNLACredentials
Description When using RADIUS authentication in CyberArk, where the RADIUS server is configured to work with LDAP, this parameter determines whether or not PSM requires the user to authenticate again after network level authentication (NLA).
Acceptable Values Yes/No
Default Value No
EnablePKIPNAuth
Description The default Smart Card authentication is based on PKI with Distinguished Name (DN). This parameter (under Advanced Settings) configures the authentication to be based on PKI with Principal Name (PKI\PN).
Acceptable Values Yes/No
Default Value No
PasswordPolicy
Description A password policy for local users generated by PSM.
Acceptable Values Number
Default Value 60
PasswordLength
Description The length of the password.
Acceptable Values Number
Default Value 20
MinUpperCase
Description The minimum number of upper case characters required in the password.
Acceptable Values Number
Default Value 2
MinLowerCase
Description The minimum number of lower case characters required in the password.
Acceptable Values Number
Default Value 2
MinDigit
Description The minimum number of digits required in the password.
Acceptable Values Number
Default Value 1
MinSpecial
Description The minimum number of special characters required in the password.
Acceptable Values Number
Default Value 1
PasswordForbiddenChars
Description A list of characters that cannot be used in the password.
Acceptable Values String
Default Value  

Live Sessions Monitoring Settings

Enable
Description Enables live session monitoring.
Acceptable Values Yes/No
Default Value None
AllowMonitor
Description Determines whether authorized users are able to monitor live sessions.
Acceptable Values Yes/No
Default Value Yes
MonitoringLevel
Description Determines whether authorized users are able to view or control live sessions. This parameter is only relevant when AllowMonitor is set to Yes.
Acceptable Values View/Control
Default Value View
AllowTerminate
Description Determines whether authorized users are able to terminate live sessions.
Acceptable Values Yes/No
Default Value Yes

AllowPSMNotifications

 

Description

Enable PSM to automatically terminate sessions or suspend and resume sessions when notified, by Privileged Threat Analytics, or a third party threat analytics tool.
Acceptable Values Yes/No
Default Value No

Terminating Live Sessions Users and Groups

Name
Description The name of a Vault user or group who can terminate live sessions.
Acceptable Values String
Default Value PSMLiveSessionTerminators

Secure Connect Settings

Enable
Description Enables Secure Connect settings.
Acceptable Values Yes/No
Default Value Yes

SSH Proxy Settings

AuthenticationMethod
Description Defines the authentication method through which the user will be logged on.
Acceptable Values Default/Password/Radius/LDAP
Default Value Default
MaxConcurrentSessions
Description

The maximum number of allowed concurrent SSH Proxy sessions.

  • If you are using Plink as an SSH client, set MaxConcurrentSessions to between 100 and 200

  • If you are using OpenSSH as the only ClientApp connecting to target machines and DisableLegacyAuditThreadpool (see Basic configuration file) is valued with Yes, set MaxConcurrentSessions to between 100 and 500. If DisableLegacyAuditThreadpool is not valued with Yes, set MaxConcurrentSessions to between 100 and 200.

If you change the value of this parameter, you must restart the PSM for SSH server.
Acceptable Values Number
Default Value 100
LDAPUserSSHKeysManagement
Description

Determines whether LDAP users' public SSH keys (required for the user's authentication) are managed in the LDAP directory or in the Vault.

Note:   Non LDAP users' public SSH keys are always managed in the Vault.

Acceptable Values Vault, LDAP
Default Value Vault
LocalRecordingsFolder
Description

The name of the local folder where recordings will be saved until they are uploaded to the server.
Acceptable Values String
Default Value  

Live Sessions Monitoring Settings

Enable
Description Enables authorized users to monitor active sessions.
Acceptable Values Yes/No
Default Value None

LiveSessionsUpdateInterval
Description Specifies the seconds between each update of the live session you are monitoring.
Acceptable Values Number
Default Value 10

Session Settings

MaxSessionDuration
Description The maximum duration in minutes of the session.
Acceptable Values Number
Default Value 0
EnforceDualControlTimeframeOnPSMConnections
Description

Determines whether to enforce the Timeframe set in the Dual Control request on the PSM connection.

If the parameter is set to Yes, PSM sessions are terminated at the end of the Timeframe or at the end of the MaxSessionDuration, whichever is sooner.

The user receives a notification before the session is terminated. The timing of the warning is based on the WarningDisconnectionInterval value .

Acceptable Values Yes/No
Default Value No
WarningDisconnectionInterval
Description The number of minutes before a user’s session is disconnected that a warning message is displayed.
Acceptable Values Number
Default Value 2
EndUserMessageTimeout
Description The maximum number of seconds that end user messages will be shown.
Acceptable Values Number
Default Value 20
DelayBetweenUploadRetries
Description The delay in seconds between upload retries to the Vault when the Vault is not available.
Acceptable Values Number
Default Value 300
MaxUploadRetries
Description The maximum number of uploading retries to the Vault when the Vault is not available.
Acceptable Values Number
Default Value 20

Advanced Settings

VirtualChannelTimeout
Description The maximum number of milliseconds to wait for virtual channel reads between the PSM server and Password Vault Web Access.
Acceptable Values Number
Default Value 10000
RecorderConnectionTimeout
Description The maximum number of milliseconds that the recorder will try to communicate with the server.
Acceptable Values Number
Default Value 500
SessionKeeperConnectionTimeout
Description The maximum number of milliseconds that the server will wait for the SessionKeeper process to initialize.
Acceptable Values Number
Default Value 5000
SessionKeeperShutdownTimeout
Description The maximum number of milliseconds that the server will wait for the SessionKeeper process to terminate.
Acceptable Values Number
Default Value 1000
InitSessionTimeout
Description The maximum number of seconds that the server will wait for the session to be initialized.
Acceptable Values Number
Default Value 15

Recorder Settings

EnableDynamicFramesPerSecond
Description Dynamically adjusts the frames per second rate of the PSM video recorder to decrease the performance impact. This may result in reduced quality when playing the recorded videos.
Acceptable Values Boolean
Default Value Yes
FramesPerSecond
Description The number of frames to capture per second. This parameter is used only when EnableDynamicFramesPerSecond is set to No.
Acceptable Values Number
Default Value 3
KeyFrame
Description The quantity of frames between each key frame.
Acceptable Values Number
Default Value 200
CompressQuality
Description Compress quality of the frame.
Acceptable Values Number
Default Value 7000
Codec
Description The requested recording codec.
Acceptable Values Codec
Default Value SCPR
LocalRecordingsFolder
Description

The name of the local folder where recordings will be saved until they are uploaded to the Vault.

 

PSM 12.2 and higher uses a local configuration for the PSM Recordings folder. See RecordingsDirectory.
Acceptable Values Path
Default Value  
TraceLevels
Description Sets the debug level of the PSM Recorder.
Acceptable Values Number
Default Value 1,2

Advanced Settings

RecorderShutdownTimeout
Description The number of milliseconds that will pass after the stop command has been sent to the recorder before the recorder will shut down.
Acceptable Values Number
Default Value 5000

ConnectionClientSettings

TraceLevels
Description Sets the debug level of the PSM Connection Client. You can specify one or more numbers separated by commas.
Acceptable Values Number(s)
Default Value 1,2

Capabilities

These parameters define a list of connection client capabilities supported by PSM/PSM for SSH.

Video Recorder
Logon Account
SSH Text Recorder
SSH Password Hiding
SSH Keystrokes Audit
Windows Events Text Recorder
SQL Text Recorder
Windows Events Audit
SQL Level Audit
Keystrokes Text Recorder (all platforms)
Oracle Password Protection
Keystrokes Audit (all platforms)
SCP Audit
Commands Access Control

 

Id
Description The unique ID of the capability.
Acceptable Values String
Default Value  
Description
Description A description of the capability.
Acceptable Values String
Default Value  
Type
Description The type of the capability.
Acceptable Values Text Recorder/Video Recorder/Auditer/Password Protection
Default Value  
Integration Type
Description The integration type of the capability.
Acceptable Values Embedded/Standalone
Default Value  
Format
Description The data format of the capability.
Acceptable Values VID/SSH/SQL/Oracle
Default Value  

Default Settings

Enabled
Description Whether or not the capability is enabled.
Acceptable Values Yes/No
Default Value Yes
AuditGracefulTerminationTimeout
Description The time allowed for the audit server component to terminate gracefully, in milliseconds. Zero (0) indicates that there is no timeout.
 

This parameter is only relevant for the following capabilities:

SSH Keystrokes Audit
SQL Level Audit
Windows Events Audit
Keystrokes Audit
SCP Audit
Acceptable Values Number
Default Value 1000
AuditCommunicationTimeout
Description The time allowed for communication with the audit server component to be acknowledged, in milliseconds. Zero (0) indicates that there is no timeout.
 

This parameter is only relevant for the following capabilities:

SSH Keystrokes Audit
SQL Level Audit
Windows Events Audit
Keystrokes Audit
SCP Audit
Acceptable Values Number
Default Value 500
ConnectionComponentGracefulTerminationTimeout
Description

The time allowed for the connection component to terminate gracefully, in milliseconds. Zero (0) indicates that there is no timeout.

 

This parameter is only relevant for the following capabilities:

SSH Keystrokes Audit
SQL Level Audit
Windows Events Audit
Keystrokes Audit
SCP Audit
Acceptable Values Number
Default Value 4000
VaultCommunicationTimeoutAddition
Description The additional time allowed for audits to be acknowledged by the Vault, in milliseconds.
 

This parameter is only relevant for the following capabilities:

SSH Keystrokes Audit
SQL Level Audit
Windows Events Audit
Keystrokes Audit
SCP Audit
Acceptable Values Number
Default Value 5000
AuditServerInitializationTimeout
Description The time allowed for the audit server component to initialize, in milliseconds. Zero (0) indicates that there is no timeout.
 

This parameter is only relevant for the following capabilities:

SSH Keystrokes Audit
SQL Level Audit
Windows Events Audit
Keystrokes Audit
SCP Audit
Acceptable Values Number
Default Value 500
ShellPrompt
Description

A regular expression that represents the shell prompt of the target machines.

 

This parameter is only relevant for Commands Access Control
Acceptable Values String
Default Value (.*)[>#\\$]$
AbortCommand
Description

The key sequence to execute after an unauthorized command was blocked in order to clear the command line.

 

This parameter is only relevant for Commands Access Control
Acceptable Values Ctrl+C / Backspaces
Default Value Ctrl+C

Channels

These parameters define channel configuration for SSH, SQL, and universal text recordings and audits.

WindowTitles
Description Whether or not PSM will record window titles.
This is relevant for the following capabilities:
Windows Events Text Recorder
Windows Events Audit
Acceptable Values Yes/No
Default Value Yes
In
Description Whether or not the incoming channel will be recorded.
In SSH text recordings, the STDIN of the SSH is recorded.
In SQL text recordings and SQL level audits, the SQL commands are recorded.
In universal keystroke text recordings,  each individual keystroke typed by the user is recorded.
Acceptable Values Yes/No
Default Value Yes
Out
Description Whether or not the STDOUT of the SSH will be recorded in the text recording.
Note: This is only relevant for SSH text recordings.
Acceptable Values Yes/No
Default Value Yes
Keystrokes
Description Whether or not PSM will create audit records in the Vault based on keystrokes typed by the user.
This is relevant for the following capabilities:
SSH Text Recorder
SSH Keystrokes Audit
Keystrokes Text Recorder
Keystrokes Audit
Acceptable Values Yes/No
Default Value Yes
Actions
Description Whether or not PSM for SSH will create audit records in the Vault based on SCP commands performed by the user.
This is relevant for the following capability:
SCP Audit
Acceptable Values Yes/No
Default Value Yes

Audit Filters

Id
Description The unique identifier of the audit filter supported by the capability.
Acceptable Values String
Default Value  

SSH Password Hiding

These parameters determine whether or not passwords that are typed by the user during PSM for SSH sessions are recorded.

Default Settings
Enabled
Description Whether or not passwords that are typed by the user during PSM for SSH sessions will be omitted from PSMrecordings.
Acceptable Values Yes/No
Default Value Yes
PasswordPrompts
Description A regular expression restriction that is used to identify password prompts. When the system finds a match to this regular expression, it omits the password from the PSM session recording.
Acceptable Values String
Default Value All common prompts for Unix platforms or for Vault passwords
InvalidPasswordChars
Description A regular expression that defines the list of characters that are invalid for passwords.  When the system detects one of these characters, PSM for SSH resumes audit and recording and the password will no longer be hidden.
Acceptable Values String
Default Value \s

Configured PSM Servers

These parameters define a list of configured PSM servers.

PSM Server

ID
Description A unique ID of a specific PSM server.
Acceptable Values  
Default Value  
Name
Description The name of a specific PSM server.
Acceptable Values String
Default Value  

Connection Details

These parameters define the connection details of a specific PSM server.

Server

Address
Description The address of the PSM server machine used by accounts associated with this platform.
Acceptable Values String
Default Value  
Port
Description The port of the PSM server machine used by accounts associated with this platform.
Acceptable Values Number
Default Value  
Safe
Description The Safe where the account for the logon account for the PSM server is stored.
Acceptable Values Safe name
Default Value  
Folder
Description The folder where the account for the logon account for the PSM server is stored.
Acceptable Values Folder name
Default Value  
Object
Description The name of the account that is used by the logon account for the PSM server.
Acceptable Values Account name
Default Value  
AdminObject
Description An internal account used to facilitate live session monitoring. This account is created and managed automatically by the CPM and must not be managed manually.
Acceptable Values  
Default Value  

TSGateway

These parameters define the Remote Desktop gateway machine.

Address
Description The address of the Remote Desktop gateway machine used by accounts associated with this platform.
Acceptable Values String
Default Value  
Domain
Description The domain of the Remote Desktop gateway machine used by accounts associated with this platform.
Acceptable Values Domain name
Default Value  
Safe
Description The Safe where the account for the logon account for the Remote Desktop gateway is stored.
Acceptable Values Safe name
Default Value  
Folder
Description The folder where the account for the logon account for the Remote Desktop gateway is stored.
Acceptable Values Folder name
Default Value  
Object
Description The name of the account that is used by the logon account for the Remote Desktop gateway.
Acceptable Values Account name
Default Value  
Enable
Description Whether or not the Remote Desktop gateway is enabled.
Acceptable Values Yes/No
Default Value  

PSM Gateway

These parameters define the gateway server.

 

These parameters are not supported in the V10 interface.

ID
Description A unique ID of a specific PSM gateway server.
Acceptable Values String
Default Value  
Enable
Description Whether or not the PSM gateway server is enabled.
Acceptable Values Yes/No
Default Value