What’s New

The following features were introduced or enhanced in Privileged Access Security solution 12.0.

Featured in this release

Upgraded Vault's MySQL database version

We have upgraded the Vault's embedded database MySQL from version 5.6.15 to version 8.0.21 to keep our product up-to-date.

End-of-life dates for CyberArk versions remain the same.

PSM access to Windows Servers protected with Idaptive endpoint MFA

A new PSM and Idaptive integration prevents lateral movement and identity theft within infrastructure, with fully isolated, restricted, monitored, and protected access to sensitive Windows targets, enhanced by Idaptive MFA protection for users accessing the servers.

Administrators can access a Windows Server where Idaptive Windows Cloud Agent is installed. When this is done through PSM, after PSM injects the account credentials on the target server the agent initiates MFA for the user according to the policy set in Idaptive and logs in the user after the user gives the correct answer to the MFA challenge. The integration is supported with connections initiated from PVWA as well as directly from users' desktop using an RDP client or connection manager.

The integration became available on October 23, 2020 with the release of Idaptive v20.5 and works with all versions of PSM. For further details, see Enforce adaptive MFA on NLA connections.

Password Vault Web Access

PVWA stability improvements

To enhance performance and end user experience, we have implemented rate limiting for API requests in PVWA.

API throttling allows us to control the way our APIs are used and avoids slow end-system data request failures or, in a worst-case scenario, PVWA server unavailability.

During time periods when client requests are peaking and CPU utilization level exceeds PVWA capacity, causing congestion, API throttling controls the number of requests PVWA responds to. When it reaches a specified CPU utilization limit, it offloads new requests and does not respond to them. For more information, see API throttling.

Just-In-Time access improvements

This release introduces several improvements in our Just-In-Time access solution. Users can revoke their own administrative access using a dedicated new API. We improved the user experience by giving the user an indicator from the time when the Get Access button is clicked until access is granted. For more information, see Revoke Just in Time access.

ServiceNow Paris version support

Integrating a privileged accounts workflow with ServiceNow Incident Management and Change Management is now supported for the Paris version.

The ServiceNow Paris version integration is now available in the CyberArk Marketplace.

Accessibility improvements for the Accounts page

This release includes several accessibility improvements. We added missing tooltips to several attributes in our Accounts page.

REST API

This release includes several improvements in our Safes and User Management REST API Web services for easier automation and usage.

New REST APIs:

  • Get Safes - Returns a list of all Safes the requested user has permissions to view. This API is available with several capabilities, such as paging and searching according to specified values to create a more precise list.

  • Add Safe - Enables the user to create a new Safe.

  • Get members - Returns a list of all the members of a specific Safe.

  • Update group - Enables the user to edit the name of an existing group.

Enhanced REST APIs:

  • Get users - In addition to the information this API provides, for each user in the returned list the API also returns the groups the user is a member of.

  • Get groups - In addition to the information this API provides, for each group in the returned list the API also returns the users that are members of the group.

Generate Password REST API

This version introduces an option to generate an account password via REST API.

Customers who want to generate a password for managed accounts can now call the Generate Password REST API and send the account ID details.

The API retrieves the account's old password and determines the new password complexity according to the account's platform policy.

For more information about using this REST API, see Generate password.

Central Policy Manager

Manage VMWare ESX/i 6.7 and 7.0 accounts

Management of VMWare ESX/i root and local privileged accounts via the ESX/i REST API and CLI is now supported for ESX/i 6.7 and ESX/i 7.0. For more information, see VMWare ESX/i.

The CPM plugin is now available in the CyberArk Marketplace.

Privileged Session Manager

Harden the PSM Server by default during installation to ensure maximum security

To verify that the recommended hardening settings are applied on the PSM server and to provide maximum security, PSM installation is now includes post-installation and hardening stages by default.

Both the PSM installation Wizard and the new automatic installation tool enable you to edit the post-installation and hardening steps according to your needs. You can still disable these stages during installation and trigger them afterwards using the automatic scripts.

Privileged Session Manager for SSH

PSM for SSH Deployment on Red Hat Enterprise Linux 8 and CentOS 8

Customers transitioning or upgrading their Linux environments to the latest Red Hat Enterprise Linux 8 OS edition or CentOS 8 can now leverage the secure and native access capabilities of PSM for SSH by deploying it on these OS versions. This is applicable for Red Hat Enterprise Linux 8.0, 8.1, and 8.2 and CentOS 8.0, 8.1, and 8.2.

SSH Key Authentication to PSM for SSH in Integrated mode using your own SSHD

PSM for SSH installation can coexist with the operating system's original SSH daemon (SSHD) without replacing it. Customers who use SSH key authentication to CyberArk in PSM for SSH connections can now do so using their own SSHD version rather than being dependent on the one customized by CyberArk, by switching to use PSMP for SSH in Integrated mode.

This is only supported for SSHD version 7.8 or above.

More information about the supported installation modes for PSM for SSH can be found in InstallCyberArkSSHD parameter.

Support for OpenSSH 7.8 and above default SSH key format

Starting from this version, PSM for SSH supports the new default OpenSSH SSH key format both for authenticating to PSM for SSH and for connecting to target machines using PSM for SSH's OpenSSH client application.

Additional information about this format can be found in the OpenSSH 7.8 release notes.

 

This format is not supported by CPM and PSM and can only be used for PSM for SSH native connections.

On-Demand Privileges Manager

OPM deployment on SUSE v15 SP2

Customers working with SUSE Linux Servers can now deploy OPM on SUSE Linux Enterprise Server v15 SP2.

Privileged Threat Analytics

PTA system health

PTA is an essential part of the Core PAS solution, and as such requires visibility to its health status.

To better understand whether PTA is installed, configured and properly working, customers can now view the PTA health indications in the PVWA System Health page, via a PVWA REST API, or via a PTA REST API. To benefit from this capability, you must upgrade both PVWA and PTA.

PTA support for inbound *NIX data feed from Splunk

Privileged Threat Analytics 12.0 expands the support for SIEM solutions by introducing *NIX integration with one of the leading SIEM vendors, Splunk.

Privileged Threat Analytics can now analyze *NIX data received from Splunk, and includes support for login events with both Passwords and SSH keys.

The new plugin can be found on the CyberArk Marketplace.

Security improvements

Internal components were upgraded to enhance security and make technological improvements to the operating system and third-party components for the PTA Server.

CyberArk highly recommends that all CyberArk customers upgrade PTA to the latest version to ensure that their PTA server is protected.

To rely on the latest and most secured platforms, CyberArk has updated its Windows-based installations (Vault, PVWA, CPM, PSM) to require .NET 4.8 Framework.

Application Access Manager - Dynamic Access Provider (DAP)

GCP Authenticator

Version 12.0 introduces a new authenticator that enables workloads running in Google Cloud to authenticate to DAP using the underlying Google Cloud identity and securely retrieve secrets. This eliminates the secret zero problem. The new authenticator supports the following Google Cloud services:

  • Google Compute Engine

  • Google Cloud Functions

    The new GCP Authenticator comes in addition to already available AWS and Azure Authenticators to secure workloads on the three major cloud providers.

For more information about the GCP Authenticator, see GCP Authenticator.

Data segregation using multiple Vault Synchronizers to various hybrid and multi-cloud environments

You can now sync accounts from the same Vault to multiple DAP clusters serving hybrid and multi-cloud environments by connecting a Vault Synchronizer for each of the clusters (up to 5 DAP clusters). This enables data segregation among the different DAP environments. This could be useful for separating secrets available on-premise and in the various clouds, or separating secrets in testing and production environments.

FIPS compliance

The CyberArk Vault Synchronizer has been added to the list of FIPS compliant components:

  • DAP Server

  • Kubernetes Authenticator Client

  • (New) CyberArk Vault Synchronizer

Application Access Manager - Credential Providers

New .NET Standard SDK for .NET and .NET Core applications

To secure .NET Core and .NET Framework applications that are running on Windows or Linux, a new .NET Standard SDK is now available.

For a simple and easy transition, the new SDK APIs are compatible with the currently available .NET SDK.

For more information about the new SDK supported platforms and features, see .NET Application Password SDKs.

Credential Provider and Central Credential Provider - Windows installation improvements

As part of simplifying our installation procedures, prerequisites for the Credential Provider on Windows can now be installed as part of the installation process. In addition, a full silent installation option is available for Windows. For more information, see Credential Providers for Windows installation.

Credential Provider platform support

Credential Provider now supports Ubuntu v20 and Java v13, 14, and 15.

This has been tested and supported from version 11.4. This does not require an upgrade to v12.0.

Dual Account templates

For critical business applications that must be highly available, we recommend using dual accounts. To simplify the configuration, we now offer a way to configure and implement Dual Accounts using a template and scripts located on the CyberArk Marketplace. Using the template and scripts eases the configuration process and reduces the required manual steps.

For more information, see Configure dual accounts.

 

CyberArk Privilege Cloud supports configuring dual accounts using the template and scripts.

Central Credential Provider REST API added support for multiple authentication methods

A new configuration is now offered that enables several REST API endpoints with different authentication methods on the same Central Credential Provider.

For more information, see Multiple security configurations and authentication methods for the CCP web service.

Supporting Central Credential Provider on a hardened PVWA machine

You can now use the same hardened machine for both Central Credential Provider and PVWA. When applications authenticate with OS user authentication to this Central Credential Provider, a minor configuration change is needed in the server settings. For more information, see Configure a hardened server to accept OS user authentication.

Documentation

Vault upgrade

The Vault upgrade docs have been reorganized and streamlined for improved readability. Upgrade procedures are now organized according to the main Vault architecture (Primary-DR and Distributed Vaults). The upgrade process for each Vault type is documented as a complete end-to-end flow so users can stay within the main topic, eliminating the need to navigate back and forth between linked pages.

Component version compatibility

In the System Requirements by Product section, the information regarding version compatibility between components has been simplified, making it easier to locate the relevant information for each component. For more information, see Component version compatibility .