Check the Privilege Cloud Connector functionality

This topic presents verification steps following the installation or upgrade of the Privilege Cloud Connector.

Perform Privilege Cloud Connector functionality checks

Check CPM functionality and verify an account password

Ensure you have the permission to Initiate CPM account management operations, described in Permissions.
In the Accounts View page, onboard an account. See Onboard accounts.
Access the account's Overview tab and in the Last Verified section, click Verify.

A message is displayed indicating that the account is marked for verification.

The CPM verifies the account during the next password management cycle. When the account is verified, the compliance status is updated.

Check PSM functionality

Check the Connector machine and set up an RDP connection to a target machine:

On the Connector machine, open the Services screen and ensure CyberArk Privileged Session Manager is running.
Set up an RDP connection to a target machine that was accessible before the upgrade. See Connect using RDP.

Troubleshoot PSM connector functionality

In the event that any of the PSM connectors are not functioning properly, ensure that the relevant executables are included in the PSMConfigureApplocker.xml file.

Beginning in Connector version 12.1.7, DLL files are allowed only if they are uploaded by the approved executables included in the PSMConfigureApplocker.xml file. The PSMConfigureApplocker script automatically finds the relevant DLL files and adds a corresponding Applocker rule for these DLLs. However, we recommend that you verify that all PSM connectors are working properly after the upgrade. If any of the PSM connectors fail due to blocked DLL files, run the executable to Detect blocked DLL files.

If you are using a third-party application that deploys DLL files in unexpected locations, you must verify that no vulnerable DLL files were found in the executable dependencies and added to the allowed Applocker rules by the script.

Open the Local Security Policy (secpol.msc).
Select Application Control Policies > AppLocker >DLL rules.
- On the right pane, select the PSMShdowUsers deny rule that has exceptions.
- In the Deny properties window, go to the Exceptions tab.
- Review the list of allowed DLLs and verify that they are all valid DLLs.

Detect blocked DLL files

If a connector fails, run the executable related to this connector and rerun the AppLocker script.

If the connector is still blocked, do the following:

Open the Windows Event viewer.
Go to Applications and Services Logs\Microsoft\Windows\Applocker\EXE and DLL.
In the left page, right-click EXE and DLL and select clear log…. Select Save and clear to back up the logged events.
Initiate a connection with the relevant connection through the Privilege Cloud Portal.
Go back to Applications and Services Logs\Microsoft\Windows\Applocker\EXE and DLL.
in the left pane, right-click EXE and DLL and click refresh.
In the right pane, click Filter Current Log… and under Event Level only select Error and click OK.
Check for Error 8004.

For example, if the sqlplus.exe DLLs dependencies are not allowed, the following PSM exception appears in the PSM log:

[12/12/2021 | 19:33:06.608333] | {pid= 2108} | {tid= 3040} | class CPSMBaseException * | PSM\(68) | ::
| PSMSR009I Privileged Session Manager exception occurred. PSMSR278I [4380081f-4041-44ef-a6ed-992f0ee4e77f] Session component [CommandLineConnectionClient] has stopped. Ending session. (Codes: -1, -1)

In the Windows Event viewer, the following errors appear:
For each blocked dll error found, add a relevant line to the PSMConfigureAppLocker.xml under AllowedApplications in the dll section.

Replace the AppLocker path variable with the absolute path using the following Powershell command:
```
<Libraries Name="UniqueName" Type="Dll" Path=”The Dll path presented in the 8004 error" Method="Hash" />
```

Repeat the process (steps 1-9) until the connector works properly.