CyberArk PSMP (PSM for SSH Proxy) Administration and Troubleshooting
Here are some administration tasks for PSMP servers.
Here are simple steps to enable a new user to log into PSMP server remotely to do administration work.
1 In the /etc/ssh directory, open the sshd_config configuration file for editing.
via Blogger https://ift.tt/2D81BBh
July 27, 2020 at 01:47PM CyberArk
Here are some administration tasks for PSMP servers.
- Add Remote SSH User to PSMP server
- PSMPAPP_ account Authentication Failure and PSMP disconnected
Control PSMPSRV service
/etc/init.d/psmpsrv {start|stop|restart|status} [{psmp|psmpadb}]
Add Remote SSH User to PSMP Server
By default, only root user can log in from console. Other users will trigger PSMP service to log in remote server as show following screenshot.
Here are simple steps to enable a new user to log into PSMP server remotely to do administration work.
1 In the /etc/ssh directory, open the sshd_config configuration file for editing.
2 Add the following parameter to the file:
PSMP_MaintenanceUsers <username>,<username>
This example will allow the following administrative users: user1, all users that end with "user2", all users that starts with "user3" and all users that include "user4".
PSMP_MaintenanceUsers <user1>,<*user2>,<user3*>,<*user4*>
Note: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Administrating-the-PSMP.htm?Highlight=PSMP%20administration
It also can use registration tool to overwrite the environment created in the vault:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/PSMP_EnivromentManager.htm
PSMP_MaintenanceUsers <username>,<username>
This example will allow the following administrative users: user1, all users that end with "user2", all users that starts with "user3" and all users that include "user4".
PSMP_MaintenanceUsers <user1>,<*user2>,<user3*>,<*user4*>
3 Save the changes and close the sshd_config configuration file.
4 Create a new user and assign it to wheel group
useradd root1
passwd root1
usermod -aG wheel root1
5 Restart the sshd service for these changes to take affect:
/etc/init.d/sshd restart
5 After logged in with root1, Sudo -i to switch to root account.
Note: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Administrating-the-PSMP.htm?Highlight=PSMP%20administration
PSMPAPP_ account Authentication Failure and PSMP disconnected
[root@psmp conf]# vi /etc/opt/CARKpsmp/conf/basic_psmpserver.conf
[Main]
PSMPServerVaultFile="/etc/opt/CARKpsmp/vault/vault.ini"
PSMPServerCredFile="/etc/opt/CARKpsmp/vault/psmpappuser.cred"
PSMPServerGWCredFile="/etc/opt/CARKpsmp/vault/psmpgwuser.cred"
LogsFolder="/var/opt/CARKpsmp/logs"
LocalParmsFileFolder="/var/opt/CARKpsmp"
TempFolder="/var/opt/CARKpsmp/temp"
PSMPConfigurationSafe="PVWAConfig"
PSMPConfigurationFolder="Root"
PSMPPVConfigurationFileName="PVConfiguration.xml"
PSMPPoliciesConfigurationFileName="Policies.xml"
PSMPServerId="PSMPServer"
PSMPTempFolder="/var/opt/CARKpsmp/temp"
We will need to reset psmpappuser.cred file and vault psmpapp_psmp password.
C:\CyberArk\Password Vault Web Access\Env>CreateCredFile.exe psmpappuser.cred
Vault Username [mandatory] ==> PSMPAPP_psmp
Vault Password (will be encrypted in credential file) ==> *********
Disable wait for DR synchronization before allowing password change (yes/no) [No
] ==>
External Authentication Facility (LDAP/Radius/No) [No] ==>
Restrict to Application Type [optional] ==>
Restrict to Executable Path [optional] ==>
Restrict to current machine IP (yes/no) [No] ==>
Restrict to current machine hostname (yes/no) [No] ==>
Restrict to OS User name [optional] ==>
Display Restrictions in output file (yes/no) [No] ==>
Use Operating System Protected Storage for credentials file secret (Machine/User
/No) [No] ==>
Command ended successfully
C:\CyberArk\Password Vault Web Access\Env>CreateCredFile.exe psmpgwuser.cred
Vault Username [mandatory] ==> PSMPGW_psmp
Vault Password (will be encrypted in credential file) ==> *********
Disable wait for DR synchronization before allowing password change (yes/no) [No
] ==>
External Authentication Facility (LDAP/Radius/No) [No] ==>
Restrict to Application Type [optional] ==>
Restrict to Executable Path [optional] ==>
Restrict to current machine IP (yes/no) [No] ==>
Restrict to current machine hostname (yes/no) [No] ==>
Restrict to OS User name [optional] ==>
Display Restrictions in output file (yes/no) [No] ==>
Use Operating System Protected Storage for credentials file secret (Machine/User
/No) [No] ==>
Command ended successfully
C:\CyberArk\Password Vault Web Access\Env>
WINSCP to upload those two files to PSMP server to replace those at /etc/opt/CARKpsmp/vault/
PSMP_ADB_psmp suspended
[root@psmp conf]# cat /etc/opt/CARKpsmpadb/conf/basic_psmpadbridge.conf
[Main]
AppProviderParmsSafe="PSMPADBridgeConf"
AppProviderVaultParmsFolder=Root
AppProviderVaultParmsFile="main_psmpadbridge.conf.linux.11.04"
AppProviderVaultFile="/etc/opt/CARKpsmp/vault/vault.ini"
AppProviderCredFile="/etc/opt/CARKpsmpadb/vault/psmpadbridgeserveruser.cred"
LogsFolder="/var/opt/CARKpsmpadb/logs"
LocalParmsFileFolder="/var/opt/CARKpsmpadb"
TempFolder="/var/opt/CARKpsmpadb/tmp"
AdvancedFIPSCryptography="No"
PIMConfigurationSafe="PVWAConfig"
PIMConfigurationFolder="Root"
PIMPVConfigurationFileName="PVConfiguration.xml"
PIMPoliciesConfigurationFileName="Policies.xml"
Activate user PSMP_ADB_psmp and update it password.
C:\CyberArk\Password Vault Web Access\Env>CreateCredFile.exe psmpadbridgeserveru
ser.cred
Vault Username [mandatory] ==> PSMP_ADB_psmp
Vault Password (will be encrypted in credential file) ==> *********
Disable wait for DR synchronization before allowing password change (yes/no) [No
] ==>
External Authentication Facility (LDAP/Radius/No) [No] ==>
Restrict to Application Type [optional] ==>
Restrict to Executable Path [optional] ==>
Restrict to current machine IP (yes/no) [No] ==>
Restrict to current machine hostname (yes/no) [No] ==>
Restrict to OS User name [optional] ==>
Display Restrictions in output file (yes/no) [No] ==>
Use Operating System Protected Storage for credentials file secret (Machine/User
/No) [No] ==>
Command ended successfully
[root@psmp vault]# cp /home/root1/psmpadbridgeserveruser.cred .
cp: overwrite ‘./psmpadbridgeserveruser.cred’? y
[root@psmp vault]# /etc/init.d/psmpsrv restart
Stopping PSM SSH Proxy....
PSM SSH Proxy was stopped successfully.
Starting PSM SSH Proxy...
PSM SSH Proxy was started successfully.
PSMP ADBridge is already stopped.
Starting PSMP ADBridge...
PSMP ADBridge was started successfully.
[root@psmp vault]#
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/PSMP_EnivromentManager.htm
|
It is recommended to change the default PSMAppUser and PSMPGWUser parameter values to unique values to prevent overwriting previous installations.
|
|
via Blogger https://ift.tt/2D81BBh
July 27, 2020 at 01:47PM CyberArk
RSS Feed
