CyberArk 12.1 Lab - 4. CPM Installation

This post summarizes some steps to install CPM (Central Policy Manager).

Diagram

Installation Tasks Overview:

System Requirements

Refer to this doc and Install CPM:

1 Recommended server specifications

2 Components version compatibility

3 Software requirements

OS: 2019. 2016 (Preferred by installation guide), 2012 (Special requirements)

Application: Multi-language, Certificate, HSM, LDAP, Cipher suites for Syslog, SMTP over SSL

Protocols: RDP 

4 Ports and Protocols (Network Firewall might need to open those ports)

CPM should place to location close to the end targets, such as servers or applications. 

5 Enable a secure channel between CPM and PVWA server, if your CPM is going to be installed on a different server from PVWA.

Architecture 

Active - Passive

Active - Active

Installation Prerequisite

1 Clean installation of Windows 2016 standard. Update windows system to latest with all patches. 

2 Software requirements

• .NET Framework 4.8 Runtime

3 Run the CPM server prerequisites script

The CPM_PreInstallation.ps1 script automates and performs the following tasks:

• Verifies .NET version
• Sets IIS SSL TLS configuration

To run the CPM_PreInstallation script:

1. Copy the CPM folder from the installation package to the CPM server, and unzip the folder.

2. In the InstallationAutomation folder, locate the CPM_PreInstallation.ps1 file.

3. Open the PowerShell window, and run the CPM_PreInstallation.ps1 file as Administrator.

Installation CPM using scripts

 

1 Install CPM using scripts

1. In the CPM\InstallationAutomation\Installation folder, locate and open the InstallationConfig.xml file.

2. In the InstallationConfig.xml file, specify the following parameters:

   Parameter	Description
   Username	The name of the user running the installation. Valid values: Username Default value: Windows User
   Company	The name of the company running the installation. Valid values: Company name Default value: My Company
   CPMInstallDirectory	The path where CPM is installed.   If the path is more than 260 characters, enable the LongPathsEnabled setting. In the Registry Key settings, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem > LongPathsEnabled, and change the value from 0 to 1. Reboot the machine to recognize the new key setting. Valid values: Pathname Default value: C:\Program Files (x86)\CyberArk\
   isUpgrade	Whether this is a CPM upgrade or a new CPM installation. Valid values: True/False Default value: False

3. In a PowerShell window, run the CPMInstallation.ps1 script as Administrator.

2 Registration

The registration process connects the CPM to the Vault.

1. In the CPM\InstallationAutomation\Registration folder, locate and open the CPMRegisterComponentConfig.xml file.

2. In the CPMRegisterComponentConfig.xml file, specify the following parameters.

   Parameter	Description
   accepteula	Acceptance of the end user License agreement. Valid values: Yes/No
   vaultIP	The IP address or hostname of the Vault server. Valid values: IP address or hostname
   vaultport	The Vault’s configured communication port. Recommended default Vault port: 1858 Valid values: Port number
   vaultuser	The name of the Vault user performing the installation. Valid values: Username   We recommend using the Vault administrator user to install CPM as this user has the appropriate Vault authorizations, and is created in the appropriate location in the Vault hierarchy. For more information about the required authorizations, see Vault user authorizations.
   pocmode	Whether or not CPM is installed in POC mode. Valid values: True/False
   installDirectory	The path where CPM is installed. Specifiy the same value as the CPMInstallDirectory value in the InstallationConfig.xml file. Valid values: Pathname Default value: C:\Program Files (x86)\CyberArk\
   username	Sets the CPM user name. CPM Safe names will be created according to the user name that you specify. If the user name is already in use, a sequence number will be added. Example: PasswordManager1, PasswordManager2 and so on. Default value: PasswordManager
   isUpgrade	Indicates whether the registration is for a clean installation or an upgrade. Valid values: True\False Default value: False

3. In a PowerShell window, run the CPMRegisterComponent.ps1 script as Administrator, and provide the Vault password in one of the following ways.

   Method	Command
   As a secure string (recommended)	CD “<installation package Path>InstallationAutomation\Registration” .\CPMRegisterComponent.ps1 -spwdObj <vaultpassword>
   Use a Windows authentication window (recommended for manual runs)	CD “<installation package Path>InstallationAutomation\Registration” .\CPMRegisterComponent.ps1
   As clear text (not recommended)	CD “<installation package Path>InstallationAutomation\Registration” .\CPMRegisterComponent.ps1 -pwd <vaultpassword>

Install CPM using installation wizard

 This installation process installs the CPM and connects to the Vault (registration).

1. On the CPM machine, create a new folder, and copy the Central Policy Manager folder from the installation package to the new folder.

2. Start the installation procedure by doing one of the following actions:

   • Double-click Setup.exe

   • On systems that are UAC-enabled, right-click Setup.exe, and then select Run as Administrator.

     The Setup window appears.

     

     You can exit installation at any time by clicking Cancel. You can return to the previous installation window by clicking Back, when relevant.

3. Click Next.

   A list of applications appear that must be installed on your machine prior to the CPM installation.

   

4. Click Install.

   

5. Read the license agreement, and then click Yes.

   

6. In the Customer Information window, enter your name and Company name in the appropriate fields, and then click Next.

   

7. In the Destination location window, do one of the following actions:

   • Click Next to accept the default location where the CPM will be installed (displayed in the Destination Folder area).

   • Click Browse, select another location, and then click Next.

   

8. In the Setup Type window, select No Policy Manager was previously installed, and then click Next.

   

9. In the Vault's Connection Details window, enter the IP address or DNS of the Vault and its port number, and then click Next.

   

10. In the Vault's Username and Password Details window, enter the name and password of the Vault user who will create the CPM environment in the Vault, and then click Next.

    Use the Vault administrator user to add the complete installation, and create it in the appropriate location in the Vault hierarchy. Only the Vault administrator user has permissions to add the new platforms. If they are not added automatically during installation, you can import them manually after the installation.

    The installation process begins, and builds the CPMenvironment in the Vault and on the CPM machine.

    1. If there is an existing PasswordManager user in the Vault, the following window appears.

       

       Do one of the following actions:

       • Accept the default CPM user name

       • Enter a different name

    2. Click Next to continue with the installation.

    3. If the cpm.ini file already exists in the Vault, the following

       the following window appears.

       

       Do one of the following actions:

       • Click Yes to override the existing cpm.ini file

       • Click No to leave the existing cpm.ini file in the Vault

11. In the Setup Complete window, click Finish to complete the installation.

12. Restart the machine.

Note: You might face an error regarding CPMEM038E Error while installation wizard trying to import platforms. Import platforms manually  ( ignore this error )

Error message :

CPMEM038E Error while trying to import platforms. Import the platforms manually. Refer to log for more information.

Post-Installation

Refer to this doc:

1 Create a Trusted Network Area

During installation, several Vault objects are created to enable the CPM to access existing passwords, generate new ones and replace them on a remote machine. However, before the CPM can begin working, it is recommended to create a Trusted Network Area for the CPM user to log on to the Vault.

Make sure that the CPM user can only log on to the Vault from the CPM machine.

To create a trusted network area:

1. Create a Network Area that includes only the IP address of the CPM machine, and from where the CPM user will log on to the Vault.

2. In the User Properties window, add this network area to the user’s Trusted Network Areas.

3. Restart the following services:

   • CyberArk Password Manager service

   • CyberArk Central Policy Manager Scanner

2 Check the installation log files and CPM log files

Capture the installation log file and save it to somewhere else. Else, the installation log file will be automatically deleted after next reboot. 

pm.log

pm_error.log

3 Check the CPM related files and services

4 Add restrictions to the protected credentials file

5 Vault Changes, such as safes, users, saved files. 

Hardening

The CPM hardening process is a series of tasks that enhance security on the Windows Server machine. Hardening is performed after CPM installation.

Hardening consists of the following tasks:

• In-Domain Automatic Hardening via GPO
• Out of Domain Hardening via INF import

Multiple CPMs

DR :

In order to prevent a scenario where the CPM is unavailable, you can set up a Disaster Recovery (DR) "active-passive" cluster by installing and configuring a second CPM instance.

If the primary CPM is down, you can manually switch over to the second instance, the DR CPM.

Only one active instance of the CPM can be available at any time.

In this section:

Install and configure a DR CPM

Switch between the primary and DR CPMs

Troubleshooting

1. CPM verify password failed because of CPM engine signature 

Error message: 

CACPM338E Failed to perform verifypass operation on Master

See logs for more information.).

The CPM is trying to verify this password because its status matches the following search criteria: ResetImmediately,Failure

Safe: Dev-Cyber-J-Test-1

Folder: Root

Object: Operating System-Dev-Win-Domain-Test-1-51sectest.dev-winadmin1 (Error: CACPM804E Error verifying CPM engine signature: ".\bin\passchng.exe"

Fix: 

Administration > Central Policy Manager > selected the right PasswordManager > CPM Settings > General > VerifyEnginesSignatures = No.

Restart the CPM.

That should fix it.

My CPM Version: 11.5

YouTube

References

• Install AD & CS (Certification Service) on Windows Server 2016 to Deploy Enterprise PKI
• Logo Privileged Access Manager Version 12.2 - Installation
• 06 - Install CPM - Central Policy Manager