The following features were introduced or enhanced in Privileged Access Manager - Self-Hosted version 13.0.
Featured in this release
Federal Information Processing Standards (FIPS) compliance
CyberArk has updated our current Object Module library to a validated FIPS certified version (140-2) to comply with government requirements and regulations. For more details about our FIPS compliance, see FIPS Compliance.
Shared Technology Platform
Consolidated hardening for PSM and CPM shared server
This version offers a combined GPO for PSM and CPM, that provides a more efficient and simpler experience when installing or upgrading PSM and CPM on the same server. This single GPO setting secures the server while addressing the functional needs of both installed components. For details, see Hardening 'In Domain' deployments.
PAM on cloud
Increased storage capabilities
Until now, as part of the PAM on cloud deployment process, the Vault application, metadata and data have been installed on the C: drive. In this version, the Vault deployment process has been updated to deploy the Vault data and metadata on a different drive. This change improves the Vault storage capabilities that were, until now, limited to 2 terabytes due to the C: drive deployment.
Password Vault Web Access
We have expanded the list of target machines that can be scanned using the Accounts feed discovery. In addition to already supported platforms, customers can scan for accounts on the following targets:
Windows Server 2022 - accounts and their dependencies
RHEL 7.9 and 8.2
SUSE 11 and 12
Oracle Linux 6 and 7
New user experience for application authentication configuration
When creating and editing applications from the PVWA Applications page, the UI now encourages you to follow security best practices. For details see the Security overview section in the Credential Providers documentation.
When performing a bulk upload of applications, warnings are provided if security best practices are not followed.
Central Policy Manager
Microsoft Azure Password Management
The Microsoft Azure Password Management plugin enables management of Microsoft Azure privileged account passwords that are being used when connecting to Microsoft Azure Portal.
CyberArk has updated the plugin with Microsoft's new MS Graph API after Microsoft announced the deprecation of the old Azure AD Graph API. We recommend updating to the latest plugin before the deprecation date (which is currently December 2022).
Amazon Web Services (AWS) Access keys
The Amazon Web Services Access keys are long-term credentials for an Identity and Access Management (IAM) user or the AWS account root user.
In this version we enhanced the current AWS access keys plugin and added the ability to change the default AWS region where the plugin is configured.
For more information, see AWS access keys.
Unix and SSH Keys
We have expanded the list of target machines that can be managed using the Unix and SSH Keys plugins. In addition to already supported platforms, customers can also manage Unix machines on the following targets:
Amazon Linux 2
IBM AIX 7.3
Privileged Session Manager
This version includes a new PSM recorder, which offers better performance and screen resolution support.
PSM concurrent connections
To accommodate the expanding usage of web-based connections, we updated the PSM server specification and increased the number of concurrent sessions to web applications that can be run per PSM server:
For small implementations, the maximum number of Chrome sessions per PSM server is increased to 15 concurrent connections
For mid-range implementations, the maximum number of Chrome sessions per PSM server is increased to 45 concurrent connections
For large implementations, the maximum number of Chrome sessions per PSM server is increased to 90 concurrent connections
These specifications are relevant for PSM version 12.6 and later.
For more information, see PSM servers.
SAP GUI Connector
The SAP GUI connector enables you to create a secure session to SAP GUI client. The connector is now supported on the latest SAP GUI platform, version 7.7.
Support timeout configuration in HTML5 Gateway
This version provides the ability to define timeout settings for the PSM session initiation to enable better tolerance in environments with network latency.
Installation prerequisite verification
In this version, we've added to the PSM installation process an additional prerequisite automatic verification stage, which verifies that the server meets the required specs and setup for the PSM installation. If a missing condition is identified, an indicative message is displayed and the installation process is aborted. The user must adjust the server accordingly or exclude the specific verification step before resuming the installation.
Privileged Session Manager for SSH
Configuration of JIT certification algorithm
This version introduces the ability to define the signing algorithm that will be used for the SSH key certificate as part of the Just in Time access with short-lived SSH certificates feature.
ITo configure the signing algorithm, set the CASignatureAlgorithm parameter in the PSMP-SSH connection component configuration.
Privileged Threat Analytics
Support PTA on RedHat 8
Starting this version PTA is supported on RedHat 8.6 or 8.7 (Minimal Install) and its binary-compatible forks, Rocky Linux or AlmaLinux. To migrate from an existing PTA environment to RedHat 8, see Import PTA to a New Machine.
Global Catalog connectivity
Continuing the consolidation of the PTA Classic UI into PVWA, starting this version the Global Catalog connectivity page (previously called AD Connectivity in PTA Classic UI) was moved to PVWA, and from now on the setup of Global Catalog connectivity can be configured using the new Global Catalog connectivity page in the PTA Administration tab from the PVWA Administration navigation bar.
In addition, this setup can also be done using new Global Catalog connectivity REST APIs, allowing the option of automation.
Enhanced outbound communication to SIEM
We have significantly enhanced and extended Privileged Threat Analytics outbound communication to SIEM.
Following security best practices, starting this version PTA supports the use of TLS 1.2-based communication for outbound syslog ports.
Customers can change this configuration manually through the system properties file.
Syslog protocol RFC-5424 has been added. This enables broader integrations with SIEM vendors.
We have enhanced the current RFC-6587 by adding customizable fields for syslog transport.
The Telemetry tool helps customers track component utilization and adoption, compliance status of managed credentials, and license utilization for their on-premises PAM deployments.
We have enhanced the installation to now validate the prerequisites prior to the installation to reduce the number of failures during the installation.
In addition, installing the CyberArk Telemetry on Windows Server 2022 is now supported.
For more information, see Telemetry.
The Telemetry tool is available to download from CyberArk Marketplace.
Secure Web Applications Connection Component and CPM Plugins support for Edge Browser
The Web Application Connection Components and CPM Plugin Frameworks provide a simple way to create new PSM Connection components for web and password management plugins (CPM plugin) for web-based and SaaS applications without needing any developer expertise or experience.
We have updated these frameworks to support both Chrome (version 100 and above) and Edge browsers (version 103 and above).
For more information, see Web applications for PSM and Web applications for CPM.
Upgrade C++ Redistributable to version 2022
Starting this version, the Vault server and Vault utilities have been upgraded to use ToolSet 2019 (v142) which is part of Microsoft Visual C++ Redistributable 2022.
This Upgrade ensures our customers a more secure product.
Upgrade the vault certificate signing request ingredients
The Certificate Signing Request (CSR) generation ingredients used as part of the CACert utility have been updated.
The Certificate Signature Algorithm is now using SHA512-RSA and the Public Key length is now set to 4096, which offer enhanced security.
Vault hardening enhancements
Starting this version, we will enforce the use of standard secured algorithm and cipher suites on the Vault operating system, Vault utilities, and the Vault integrations with SIEM, Email and LDAP. The integration with third-party vendors who don’t support the use of such algorithms and cipher suites will cease to work.
The list of approved cipher suites and algorithms can be found in the system requirement section.
Password expiration policy enforcement for the local administrator user of the Vault machine for Windows 2019 and 2016.
In continuation to the alignment of the Vault hardening with CIS guidelines on Windows 2019 in the previous version, in this version we have updated our password expiration mechanism for the local administrator user of the Vault machine. This is done by both reducing the password change period from 45 to 30 days, as well as enforcing the change by default.
Although not recommended from a security best practice perspective, customers can change the expiration period and cancel the enforcement mechanism.
While the CIS hardening alignment is supported only on Windows 2019, this specific addition will apply for both Windows 2019 and 2016.
PAM on cloud
Upgrade AWS SDK library used by the Vault
The current AWS SDK library used by the Vault has been upgraded to version 1.9.220.
Privileged Threat Analytics
PTA security improvements
Internal components and third-party libraries were upgraded to enhance security and make technological improvements to the components of PTA.
Central Policy Manager
In this version, CyberArk added strict signature validation on executables uploaded via the Import Platform page, to ensure the engine’s integrity in general and protect it from manipulation by unauthorized users.