What’s New

The following features were introduced or enhanced in Privileged Access Manager - Self-Hosted version 13.0.

Featured in this release

Federal Information Processing Standards (FIPS) compliance

CyberArk has updated our current Object Module library to a validated FIPS certified version (140-2) to comply with government requirements and regulations. For more details about our FIPS compliance, see FIPS Compliance.

Shared Technology Platform

Consolidated hardening for PSM and CPM shared server

This version offers a combined GPO for PSM and CPM, that provides a more efficient and simpler experience when installing or upgrading PSM and CPM on the same server. This single GPO setting secures the server while addressing the functional needs of both installed components. For details, see Hardening 'In Domain' deployments.

PAM on cloud

Increased storage capabilities

Until now, as part of the PAM on cloud deployment process, the Vault application, metadata and data have been installed on the C: drive. In this version, the Vault deployment process has been updated to deploy the Vault data and metadata on a different drive. This change improves the Vault storage capabilities that were, until now, limited to 2 terabytes due to the C: drive deployment.

Password Vault Web Access

Accounts discovery

We have expanded the list of target machines that can be scanned using the Accounts feed discovery. In addition to already supported platforms, customers can scan for accounts on the following targets:

  • Windows Server 2022 - accounts and their dependencies

  • RHEL 7.9 and 8.2 

  • CentOS 7 

  • SUSE 11 and 12 

  • Oracle Linux 6 and 7

New user experience for application authentication configuration

When creating and editing applications from the PVWA Applications page, the UI now encourages you to follow security best practices. For details see the Security overview section in the Credential Providers documentation. 

When performing a bulk upload of applications, warnings are provided if security best practices are not followed.

Graphical user interface, text, application, Word

Description automatically generated

Central Policy Manager

Microsoft Azure Password Management

The Microsoft Azure Password Management plugin enables management of Microsoft Azure privileged account passwords that are being used when connecting to Microsoft Azure Portal.

CyberArk has updated the plugin with Microsoft's new MS Graph API after Microsoft announced the deprecation of the old Azure AD Graph API. We recommend updating to the latest plugin before the deprecation date (which is currently December 2022).

Amazon Web Services (AWS) Access keys

The Amazon Web Services Access keys are long-term credentials for an Identity and Access Management (IAM) user or the AWS account root user.

In this version we enhanced the current AWS access keys plugin and added the ability to change the default AWS region where the plugin is configured.

For more information, see AWS access keys.

Unix and SSH Keys

We have expanded the list of target machines that can be managed using the Unix and SSH Keys plugins. In addition to already supported platforms, customers can also manage Unix machines on the following targets:

  • Amazon Linux 2

  • IBM AIX 7.3

  • RHEL 8.4

Privileged Session Manager

This version includes a new PSM recorder, which offers better performance and screen resolution support.

PSM concurrent connections

To accommodate the expanding usage of web-based connections, we updated the PSM server specification and increased the number of concurrent sessions to web applications that can be run per PSM server:

  • For small implementations, the maximum number of Chrome sessions per PSM server is increased to 15 concurrent connections

  • For mid-range implementations, the maximum number of Chrome sessions per PSM server is increased to 45 concurrent connections

  • For large implementations, the maximum number of Chrome sessions per PSM server is increased to 90 concurrent connections

These specifications are relevant for PSM version 12.6 and later.

For more information, see PSM servers.

SAP GUI Connector

The SAP GUI connector enables you to create a secure session to SAP GUI client. The connector is now supported on the latest SAP GUI platform, version 7.7.

Support timeout configuration in HTML5 Gateway

This version provides the ability to define timeout settings for the PSM session initiation to enable better tolerance in environments with network latency.

Installation prerequisite verification

In this version, we've added to the PSM installation process an additional prerequisite automatic verification stage, which verifies that the server meets the required specs and setup for the PSM installation. If a missing condition is identified, an indicative message is displayed and the installation process is aborted. The user must adjust the server accordingly or exclude the specific verification step before resuming the installation.

Privileged Session Manager for SSH

Configuration of JIT certification algorithm

This version introduces the ability to define the signing algorithm that will be used for the SSH key certificate as part of the Just in Time access with short-lived SSH certificates feature.

ITo configure the signing algorithm, set the CASignatureAlgorithm parameter in the PSMP-SSH connection component configuration.

Privileged Threat Analytics

Support PTA on RedHat 8

Starting this version PTA is supported on RedHat 8.6 or 8.7 (Minimal Install) and its binary-compatible forks, Rocky Linux or AlmaLinux. To migrate from an existing PTA environment to RedHat 8, see Import PTA to a New Machine.

Global Catalog connectivity

Continuing the consolidation of the PTA Classic UI into PVWA, starting this version the Global Catalog connectivity page (previously called AD Connectivity in PTA Classic UI) was moved to PVWA, and from now on the setup of Global Catalog connectivity can be configured using the new Global Catalog connectivity page in the PTA Administration tab from the PVWA Administration navigation bar.
In addition, this setup can also be done using new Global Catalog connectivity REST APIs, allowing the option of automation.

Enhanced outbound communication to SIEM

We have significantly enhanced and extended Privileged Threat Analytics outbound communication to SIEM.

  • Following security best practices, starting this version PTA supports the use of TLS 1.2-based communication for outbound syslog ports.

    Customers can change this configuration manually through the system properties file.

  • Syslog protocol RFC-5424 has been added. This enables broader integrations with SIEM vendors.

  • We have enhanced the current RFC-6587 by adding customizable fields for syslog transport.

Tools

Telemetry

The Telemetry tool helps customers track component utilization and adoption, compliance status of managed credentials, and license utilization for their on-premises PAM deployments.

We have enhanced the installation to now validate the prerequisites prior to the installation to reduce the number of failures during the installation.
In addition, installing the CyberArk Telemetry on Windows Server 2022 is now supported.

For more information, see Telemetry.

The Telemetry tool is available to download from CyberArk Marketplace.

Secure Web Applications Connection Component and CPM Plugins support for Edge Browser

The Web Application Connection Components and CPM Plugin Frameworks provide a simple way to create new PSM Connection components for web and password management plugins (CPM plugin) for web-based and SaaS applications without needing any developer expertise or experience.
We have updated these frameworks to support both Chrome (version 100 and above) and Edge browsers (version 103 and above).
For more information, see Web applications for PSM and Web applications for CPM.

Security enhancements

Vault

Upgrade C++ Redistributable to version 2022

Starting this version, the Vault server and Vault utilities have been upgraded to use ToolSet 2019 (v142) which is part of Microsoft Visual C++ Redistributable 2022.

This Upgrade ensures our customers a more secure product.

Upgrade the vault certificate signing request ingredients

The Certificate Signing Request (CSR) generation ingredients used as part of the CACert utility have been updated.

The Certificate Signature Algorithm is now using SHA512-RSA and the Public Key length is now set to 4096, which offer enhanced security.

Vault hardening enhancements

  • Starting this version, we will enforce the use of standard secured algorithm and cipher suites on the Vault operating system, Vault utilities, and the Vault integrations with SIEM, Email and LDAP. The integration with third-party vendors who don’t support the use of such algorithms and cipher suites will cease to work.

    The list of approved cipher suites and algorithms can be found in the system requirement section.

  • Password expiration policy enforcement for the local administrator user of the Vault machine for Windows 2019 and 2016.

    In continuation to the alignment of the Vault hardening with CIS guidelines on Windows 2019 in the previous version, in this version we have updated our password expiration mechanism for the local administrator user of the Vault machine. This is done by both reducing the password change period from 45 to 30 days, as well as enforcing the change by default.

    Although not recommended from a security best practice perspective, customers can change the expiration period and cancel the enforcement mechanism.

    While the CIS hardening alignment is supported only on Windows 2019, this specific addition will apply for both Windows 2019 and 2016.

PAM on cloud

Upgrade AWS SDK library used by the Vault

The current AWS SDK library used by the Vault has been upgraded to version 1.9.220.

Privileged Threat Analytics

PTA security improvements

Internal components and third-party libraries were upgraded to enhance security and make technological improvements to the components of PTA.

Central Policy Manager

Signature Validation

In this version, CyberArk added strict signature validation on executables uploaded via the Import Platform page, to ensure the engine’s integrity in general and protect it from manipulation by unauthorized users.