You are planning to configure Multi-Factor Authentication (MFA) for your CyberArk Privilege Cloud Shared Service.
What are the available authentication methods?
- A . LDAR RADIUS. SAML OpenID Connect (OIDC)
- B . Windows. PKI. RADIUS. CyberArk, LDAP. SAML. OpenID Connect (OIDC)
- C . Privilege Cloud Shared Services fully utilize CyberArk Identity and its MFA options.
- D . Only RADIUS can be used to achieve MFA across all components, such as PSM for RDP and PSM for SSH.
B
Explanation:
In CyberArk Privilege Cloud, Multi-Factor Authentication (MFA) can be configured to enhance security by requiring multiple methods of authentication from independent categories of credentials to verify the user’s identity. The available authentication methods include:
Windows Authentication: Leverages the user’s Windows credentials.
PKI (Public Key Infrastructure): Utilizes certificates to authenticate.
RADIUS (Remote Authentication Dial-In User Service): A networking protocol that provides centralized Authentication, Authorization, and Accounting management.
CyberArk: Uses CyberArk’s own authentication methods.
LDAP (Lightweight Directory Access Protocol): Protocol for accessing and maintaining distributed directory information services.
SAML (Security Assertion Markup Language): An open standard that allows identity providers to pass authorization credentials to service providers.
OpenID Connect (OIDC): An authentication layer on top of OAuth 2.0, an authorization framework.
Reference for this can be found in the CyberArk Privilege Cloud documentation, which details the integration and setup of MFA using these methods.
When installing the first CPM within Privilege Cloud using the Connector Management Agent, what should you set the Installation Mode to in the CPM section?
- A . Active
- B . Passive
- C . Default
- D . Primary
A
Explanation:
When installing the first CyberArk Privilege Management (CPM) instance in the Privilege Cloud using the Connector Management Agent, the installation mode should be set to "Active". This configuration sets the CPM to be actively involved in password management and task processing without being in a standby or passive mode.
Here are the step-by-step details:
Download the Connector Management Agent: Obtain the installer from the CyberArk Marketplace or your installation kit.
Run the Installer: Start the setup and select the CPM component to install.
Choose Installation Mode: When prompted, select "Active" as the installation mode. This sets up the CPM as the primary node responsible for handling password management operations.
This setup ensures that the CPM is immediately active and capable of handling requests without waiting for manual intervention or failover.
Reference: CyberArk’s official documentation provides guidance on setting up the CPM, where it specifies the modes and their purposes.
CyberArk User Neil is trying to connect to the Target Linux server 192.168.1.164 using a domain user ACMElinuxuser01 on domain acme.corp using PSM for SSH server 192.168.65.145.
What is the correct syntax?
- A . ssh neil@linuxuser01: acme.corp@192.168.1.164@192.168.65.145
- B . ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145
- C . sshneil@linuxuser01@192.168.1.164@192.168.65.145
- D . ssh neil@linuxuser01@acme.corp@192.168.1.164@192.168.65.145
B
Explanation:
In CyberArk Privilege Cloud, when connecting to a target server using the Privileged Session Manager (PSM) for SSH, the correct syntax for the SSH command includes the following format: ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145. This syntax breaks down as follows:
neil: The CyberArk username.
linuxuser01#acme.corp: The domain user on the target Linux server, formatted as username#domain.
CyberArk User Neil is trying to connect to the Target Linux server 192.168.1.164 using a domain user ACMElinuxuser01 on domain acme.corp using PSM for SSH server 192.168.65.145.
What is the correct syntax?
- A . ssh neil@linuxuser01: acme.corp@192.168.1.164@192.168.65.145
- B . ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145
- C . sshneil@linuxuser01@192.168.1.164@192.168.65.145
- D . ssh neil@linuxuser01@acme.corp@192.168.1.164@192.168.65.145
B
Explanation:
In CyberArk Privilege Cloud, when connecting to a target server using the Privileged Session Manager (PSM) for SSH, the correct syntax for the SSH command includes the following format: ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145. This syntax breaks down as follows:
neil: The CyberArk username.
linuxuser01#acme.corp: The domain user on the target Linux server, formatted as username#domain.
CyberArk User Neil is trying to connect to the Target Linux server 192.168.1.164 using a domain user ACMElinuxuser01 on domain acme.corp using PSM for SSH server 192.168.65.145.
What is the correct syntax?
- A . ssh neil@linuxuser01: acme.corp@192.168.1.164@192.168.65.145
- B . ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145
- C . sshneil@linuxuser01@192.168.1.164@192.168.65.145
- D . ssh neil@linuxuser01@acme.corp@192.168.1.164@192.168.65.145
B
Explanation:
In CyberArk Privilege Cloud, when connecting to a target server using the Privileged Session Manager (PSM) for SSH, the correct syntax for the SSH command includes the following format: ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145. This syntax breaks down as follows:
neil: The CyberArk username.
linuxuser01#acme.corp: The domain user on the target Linux server, formatted as username#domain.
After a scripted installation has successfully installed the PSM, which post-installation task is performed?
- A . The screen saver for the PSM local users is disabled.
- B . A new group called PSMShadowUsers is created.
- C . The PSMAdminConnect user password is reset.
- D . Remote desktop services are installed.
A
Explanation:
After the successful scripted installation of the Privileged Session Manager (PSM), one of the post-installation tasks is to disable the screen saver for the PSM local users. This is done to ensure that the PSMConnect and PSMAdminConnect users, which are created during the installation process, do not have a screen saver activated that could interfere with the operation of the PSM.
Reference: CyberArk documentation on PSM post-installation tasks1.
CyberArk documentation on disabling the screen saver for PSM local users
Which tool configures the user object that will be used during the installation of the PSM for SSH component?
- A . CreateUserPass
- B . CreateCredFile
- C . ConfigureCredFile
- D . ConfigureUserPass
B
Explanation:
The tool used to configure the user object for the installation of the PSM for SSH component is CreateCredFile. This tool is responsible for creating a credentials file that stores the necessary user details required during the installation process, ensuring secure and correct authentication.
Reference: CyberArk Privilege Cloud Introduction
You are configuring firewall rules between the Privilege Cloud components and the Privilege Cloud.
Which firewall rules should be set up to allow connections?
- A . from the CyberArk Privilege Cloud to the Privilege Cloud components
- B . from the Privilege Cloud components to the CyberArk Privilege Cloud
- C . bi-directionally between the Privilege Cloud components and the CyberArk Privilege cloud
- D . from the Privilege Cloud components to CyberArk.com
C
Explanation:
When configuring firewall rules for CyberArk Privilege Cloud, it is essential to allow bi-directional communication between the Privilege Cloud components and the CyberArk Privilege Cloud. This ensures that all necessary communications for operations and management can occur securely in both directions.
Reference: CyberArk documentation on system requirements for outbound traffic network and port requirements1.
CyberArk documentation on setting up an IP allowlist, which enables Privilege Cloud customer-side components to communicate with the Privilege Cloud SaaS environment2.
CyberArk documentation on connecting to organization firewalls
What is a requirement when installing the PSM on multiple Privileged Cloud Connector servers?
- A . Each PSM must have the same path to the same recordings directory.
- B . All PSMs in the environment must be configured to use load balancing.
- C . Additional Privilege Cloud Connector servers cannot have CPM installed.
- D . In-domain servers cannot be used when deploying multiple PSM servers.
A
Explanation:
When installing the Privileged Session Manager (PSM) on multiple servers, it is required that each
PSM installation has the same path to the same recordings directory. This is necessary to ensure that session recordings are stored consistently across different PSM instances, which is important for high availability and load balancing implementations, as well as for maintaining a unified audit trail.
Reference: CyberArk documentation on installing multiple PSM servers
What must be done to configure the syslog server IP address(es) for SIEM integration? (Choose 2.)
- A . Submit a service request to CyberArk Support.
- B . Update the syslog server IP address through the Privilege Cloud Portal.
- C . Update the DBPARM.ini file with the correct syslog server IP address.
- D . Update the vault.ini file with the correct syslog server IP address.
- E . Configure the Secure Tunnel for SIEM integration.
B, E
Explanation:
To configure the syslog server IP addresses for SIEM integration in a CyberArk Privilege Cloud environment, the following steps are generally required:
Update the syslog server IP address through the Privilege Cloud Portal (Option B): This is typically done via the administrative interface where system logging configurations can be managed. It allows for straightforward integration of external logging tools by specifying the destination syslog server IP.
Configure the Secure Tunnel for SIEM integration (Option E): Establishing a secure tunnel is often necessary for secure and reliable data transmission between the CyberArk Privilege Cloud and the external syslog server, particularly when integrating SIEM systems that require encrypted and secure data pathways.
Reference: CyberArk’s SIEM integration documentation and support articles often discuss these steps as part of setting up comprehensive security and monitoring configurations.
In the directory lookup order, which directory service is always looked up first for the CyberArk Privilege Cloud solution?
- A . Active Directory
- B . LDAP
- C . Federated Directory
- D . CyberArk Cloud Directory
D
Explanation:
In the directory lookup order for the CyberArk Privilege Cloud solution, the "CyberArk Cloud Directory" is always looked up first. This directory service is a part of the CyberArk Privilege Cloud infrastructure and is specifically designed to handle identity and access management within the cloud environment efficiently. It prioritizes the CyberArk Cloud Directory for authentication and identity resolution before consulting any external directory services.
Reference: CyberArk’s architectural documentation usually emphasizes the role of the CyberArk Cloud Directory in managing and authenticating user access in cloud-based deployments, highlighting its precedence in the directory lookup process.
Your customer recently merged with a smaller organization. The customer’s connector has no network connectivity to the smaller organization’s infrastructure. You need to map LDAP users from both your customer and the smaller organization.
How is this achieved?
- A . Create the required users in one directory and configure the Identity Connector to read that directory, as there can only be one Identity Connector.
- B . Create mappings for both directories from the original Identity Connector.
- C . Deploy Identity Connectors in the newly acquired infrastructure and create user mappings.
- D . Switch all users to SAML authentication as there can only be one Identity Connector.
C
Explanation:
To map LDAP users from both your customer and the smaller organization they have merged with, especially when there is no network connectivity between the two infrastructures, the best approach is to:
Deploy Identity Connectors in the newly acquired infrastructure and create user mappings (Option C). This involves setting up additional Identity Connectors within the smaller organization’s network. These connectors will facilitate the integration of user directories from both organizations into the customer’s Privilege Cloud environment.
Reference: CyberArk documentation on Identity Connectors often outlines the capability of deploying multiple connectors to manage different user directories, especially useful in scenarios involving mergers or acquisitions where separate infrastructures need integration.
After correctly configuring reconciliation parameters in the Prod-AIX-Root-Accounts Platform, this error message appears in the CPM log: CACPM410E Ending password policy Prod-AIX-Root-Accounts since the reconciliation task is active but the AllowedSafes parameter was not updated.
What caused this situation?
- A . The reconciliation account defined in the Platform is in a locked state and is not accessible.
- B . The CPM is currently configured to use to an unsigned engine.
- C . The AllowedSafes parameter does not include the safe containing the reconciliation account defined in the Platform.
- D . A second CPM is incorrectly configured to manage the reconciliation account’s safe which is causing a deadlock situation between the two CPMs.
C
Explanation:
The error message "CACPM410E Ending password policy Prod-AIX-Root-Accounts since the reconciliation task is active but the AllowedSafes parameter was not updated" suggests an issue with configuration parameters.
The likely cause is:
The AllowedSafes parameter does not include the safe containing the reconciliation account defined in the Platform (Option C). This parameter must accurately reflect all safes where the reconciliation account operates to ensure proper management and access by the Central Policy Manager (CPM). If the safe containing the reconciliation account is not listed, the CPM cannot perform its tasks, leading to this error.
Reference: CyberArk’s error codes and troubleshooting guides detail how specific configuration mismatches, like an incomplete AllowedSafes parameter, can disrupt normal operations, especially in reconciliation processes.
How can a platform be configured to work with load-balanced PSMs?
- A . Remove all entries from configured PSM Servers except for the ID of the PSMs with load balancing.
- B . Create a new PSM definition that targets the load balancer IP address and assign to the platform.
- C . Include details of the PSMs with load balancing in the Basic_psm.ini file on each PSM server.
- D . Use the Privilege Cloud Portal to update the Session Management settings for the platform in the Master Policy.
B
Explanation:
To configure a platform to work with load-balanced Privileged Session Managers (PSMs), you should:
Create a new PSM definition that targets the load balancer IP address and assign it to the platform (Option B). This approach involves configuring the platform settings to direct session traffic through a load balancer that distributes the load across multiple PSM servers. This is effective in environments where high availability and fault tolerance are priorities.
Reference: CyberArk’s setup guidelines for high-availability environments typically recommend configuring platforms to utilize load balancers to ensure continuous availability and optimal distribution of session management tasks.
You are deploying a CyberArk Identity Connector to integrate Privilege Cloud Shared Services with an Active Directory environment.
Which requirement must be met?
- A . The Identity Connector Server must be joined to the Active Directory.
- B . The Server must be a member of the root domain of the Active Directory forest.
C The Identity Connector must be installed on a Domain Controller. - C . The Identity Connector must be installed using Domain Administrator credentials.
A
Explanation:
When deploying a CyberArk Identity Connector to integrate Privilege Cloud Shared Services with an Active Directory environment, the server hosting the Identity Connector must meet specific requirements to ensure proper integration and functionality.
The necessary condition is:
The Identity Connector Server must be joined to the Active Directory (Option A). This requirement ensures that the server can communicate effectively with the Active Directory services and manage identity data securely and efficiently. Being part of the Active Directory domain facilitates authentication and authorization processes required for the connector to function correctly.
Reference: CyberArk installation and configuration guides typically emphasize the importance of having the Identity Connector server joined to the domain to allow seamless interaction with Active Directory services.
Your customer is using Privilege Cloud Shared Services.
What is the correct CyberArk Vault address for this customer?
- A . carkvault-<subdomain>.privilegecloud.cyberark.cloud
- B . vault-<subdomain>.privilegecloud.cyberark.cloud
- C . v-<subdomain>.privilegecloud.cyberark.cloud
- D . carkvlt-<subdomain> privilegecloud.cyberark.cloud
B
Explanation:
For customers using CyberArk Privilege Cloud Shared Services, the correct format for the CyberArk Vault address is:
vault-<subdomain>.privilegecloud.cyberark.cloud (Option B). This format is used to access the vault services provided by CyberArk in the cloud environment, where <subdomain> is the unique identifier assigned to the customer’s specific instance of the Privilege Cloud.
Reference: CyberArk’s Privilege Cloud documentation provides details on how to access various services, including the vault. The standard naming convention for accessing the vault services in the cloud typically follows this format.
You are implementing LDAPS Integration for a standard Privilege Cloud environment.
Which information must be provided to the CyberArk Privilege Cloud support team through a Service Request? (Choose 2.)
- A . LDAPS certificate chain for all domain controllers to be integrated
- B . LDAP bind username and password used to authenticate to the directory to be integrated
C Domain Base Context used to locate the users and groups in the Active Directory to be integrated - C . Fully Qualified Domain Name and IP Address of the domain controllers to be integrated
- D . remote port set during secure tunnel configuration for each domain controller to be integrated
A, D
Explanation:
When implementing LDAPS Integration for a standard Privilege Cloud environment, certain information is crucial and must be provided to the CyberArk Privilege Cloud support team through a Service Request.
The necessary details include:
LDAPS certificate chain for all domain controllers to be integrated (Option A): This information is critical to establishing a trusted secure connection between the Privilege Cloud and the domain controllers using LDAP over SSL (LDAPS).
Fully Qualified Domain Name and IP Address of the domain controllers to be integrated (Option D): This information is essential for accurately identifying and configuring the network connections to each domain controller that will be integrated with the Privilege Cloud.
Reference: The process of setting up LDAPS integration typically requires detailed network and security information about the domain controllers to ensure secure and reliable connectivity. CyberArk support documentation and service request forms usually specify the need for these details.
Which statement best describes a PSM server’s network requirements?
- A . It must reach the target system using its native protocols.
- B . It requires limited outbound connectivity to Ports 1858 and 443 only.
- C . It requires direct access to the internet.
- D . It requires broad inbound firewall rules and outbound traffic should be limited to Port 1858.
A
Explanation:
For a Privilege Session Manager (PSM) server, the network requirements primarily focus on its ability to interact with target systems securely and efficiently.
The most accurate statement regarding these requirements is:
It must reach the target system using its native protocols (Option A). This is essential for the PSM to manage sessions effectively, as it needs to communicate using the protocols that the target systems are configured to accept, such as SSH for Linux servers or RDP for Windows servers.
Reference: CyberArk’s PSM documentation typically outlines the need for PSM servers to have network paths configured to communicate directly with target systems using the relevant protocols to ensure secure and controlled session management.
Which users are Privilege Cloud Standard built-in users? (Choose 2.)
- A . NASCorp
- B . saascorps
- C . CyberArkAdmin
- D . remoteAccessAppUser
- E . PASReporterUser
C, E
Explanation:
In CyberArk Privilege Cloud Standard, certain users are predefined as built-in for administrative and operational purposes.
The built-in users include:
CyberArkAdmin (Option C): This user is typically set up as a default administrator with full access to
manage and configure the Privilege Cloud environment.
PASReporterUser (Option E): This user is often configured as a reporting user, designed to generate and access various reports without having broader administrative privileges.
Reference: CyberArk’s Privilege Cloud setup and administration guides usually list these users as part of the default configuration to facilitate initial setup and ongoing management of the platform.
On the CPM, you want to verify if DEP is disabled for the required executables According to best practices, which executables should be listed? (Choose 2.)
- A . Telnet.exe
- B . Plink.exe
- C . putty.exe
- D . mstsc.exe
B, C
Explanation:
On the Central Policy Manager (CPM), it is crucial to verify that Data Execution Prevention (DEP) is disabled for specific executables required for proper operation according to best practices.
The relevant executables include:
Plink.exe (Option B): This executable is commonly used for SSH communications and may require DEP to be disabled to function correctly under certain configurations.
putty.exe (Option C): Similar to Plink.exe, Putty is another essential tool for SSH communications and might also require DEP to be disabled to prevent any execution issues.
Reference: CyberArk’s best practices for system configuration often highlight the need to adjust DEP settings for certain executables to ensure they run without interruption, particularly when these tools are crucial for secure communications and operations management.
What is the default username for the PSM for SSH maintenance user?
- A . proxymng
- B . psmp_maintenance
- C . psmpmaintenanceuser
- D . proxyusr
B
Explanation:
The default username for the Privileged Session Manager (PSM) for SSH maintenance user in CyberArk Privilege Cloud is psmp_maintenance. This account is used for maintenance purposes and is integral for administrative tasks and configurations related to SSH sessions managed by the PSM. The username is predefined and standardized across deployments to maintain consistency and ensure security best practices are adhered to. The username is mentioned in the CyberArk official documentation regarding PSM configuration for SSH.
What is a supported certificate format for retrieving the LDAPS certificate when not using the Cyberark provided LDAPS certificate tool?
- A . .der
- B . .p7b
- C . p7c
- D . p12
A
Explanation:
For retrieving the LDAPS certificate when not using the CyberArk provided LDAPS certificate tool, the supported certificate format is .der. The DER (Distinguished Encoding Rules) format is a binary form of a certificate rather than the ASCII PEM format. This format is widely supported across various systems for securing LDAP connections by providing a mechanism for LDAP servers to authenticate themselves to users. This information can be verified by checking LDAP configuration guides and CyberArk’s secure implementation documentation which outline supported certificate formats for LDAP integrations.