QUESTIONS AND ANSWERS GRADED A+
✔✔Which four LDAP groups need to be created for granting access to the Vault? -
✔✔CyberArk Administrators
CyberArk Safe Managers
CyberArk Auditors
CyberArk Users
✔✔What does LDAP/S do? - ✔✔Ensures that all of the traffic between the Domain
Controller or LDAP authenticating Server and the Vault is encrypted
✔✔Steps for Enabling LDAP/S - ✔✔1. Install the Root Certificate for the CA that issued
the certificate on the directory servers to the Vault Servers
2. Create a hosts file on the vault servers to manually resolve directory server names
✔✔Is a Vault Firewall rule required for LDAP/S? - ✔✔No
✔✔What happens if you delete a user in CyberArk, that is still a part of the LDAP
domain? - ✔✔It will automatically be re-created upon login if it still exists within AD and
is still a member of one of the groups defined in a Directory Mapping.
✔✔What file do you configure LDAP synchronization with external directory? -
✔✔dbparm.ini
✔✔LDAP User Mapping - ✔✔Allows for authentication and defines user's attributes,
such as Vault authorizations and locations
✔✔LDAP Group Mapping - ✔✔Makes LDAP groups searchable from within CyberArk
and allows mapped LDAP groups to be granted Safe authorizations based upon group
membership
✔✔LDAP Vault Authorization Groups - ✔✔Vault Users
Safe Managers
Vault Admins
Auditors
✔✔Which user can edit Directory Mappings? - ✔✔Built-in Administrator
✔✔Pre-requisites for SMTP Integration - ✔✔1. Have the IP address of the SMTP
Gateway available
2. Ensure that any necessary firewall rules or ACLs allow communications from the
Vault Servers to the SMTP gateway
,✔✔How to enable the ENE Setup Wizard once it has been configured once - ✔✔Set the
SMTP address to 1.1.1.1
✔✔What does SNMP Integration do? - ✔✔Allows for remote monitoring by sending
Vault traps to a remote terminal, such as operating system and component-specific
information.
✔✔Pre-requisites for SNMP Integration - ✔✔1. Have IP addresses of all servers that
can accept SNMP traps available
2. Have Community String available
3. Provide the Management Information Base (MIB) files to the SNMP admin for loading
into the management console
4. Have a resource from the team responsible for SNMP monitoring
✔✔What needs to be configured for SNMP? - ✔✔Remote Control Agent
✔✔What file + parameters are used for SNMP configuration? - ✔✔paragint.ini
SNMPHostIP
SNMPTrapPort
SNMPCommunity
✔✔What does SIEM Integration do? - ✔✔Allows correlation of Privileged Account
Usage with Privileged Account Activity.
✔✔Vault Protocols for SIEM Integration - ✔✔TLS, TCP, UDP
✔✔If using TLS as the protocol for SIEM integration, what do you need? - ✔✔Signed
certificate for the syslog server
✔✔Why must you configure time synchronization for the vault? - ✔✔The vault server(s)
are standalone, and do not participate in a domain, so time synchronization needs to be
configured manually.
✔✔What is critically important to remember when configuring NTP for Vault servers? -
✔✔It is critically important to reduce or eliminate time drift between the Vault server and
CyberArk system components.
✔✔Pre-requisites for NTP Integration - ✔✔IP address of the Network Time Server
Open network path for NTP standard port tcp_123
✔✔NTP Integration Steps - ✔✔1. Enable Windows Time service, set to Automatic
(Delayed Start)
2. Create a firewall exception in dbparm.ini
3. Restart PrivateArk Server service
, 4. Set a time skew to prevent large changes to the system clock
✔✔Authentication Methods that Support All 3 Interfaces - ✔✔CyberArk, LDAP, RADIUS
✔✔Authentication Interfaces - ✔✔PVWA, PrivateArk Client, PSM Window/PSM SSH,
PSM Cloud
✔✔PVWA Authentication Categories - ✔✔CyberArk authentication
Vault Integrated External authentication
IIS Integrated External authentication
✔✔CyberArk Authentication - ✔✔The PVWA sends details to the Vault, which performs
the authentication
✔✔Vault Integrated External Authentication - ✔✔The PVWA sends credentials to the
Vault, which in turn forwards the request to the external authentication servers.
✔✔IIS Integrated External Authentication - ✔✔The PVWA sends the credentials to the
server's IIS service. IIS forwards the request to the external authenticating server, and
confirms authentication to the PVWA web application, which confirms authentication to
the Vault.
✔✔passparm.ini - ✔✔The CyberArk internal Password Policy is configured in the
passparm.ini
✔✔Where is passparm.ini stored? - ✔✔Locally on the Vault server and uploaded to the
System safe automatically.
✔✔RADIUS Authentication - ✔✔1. Create a file to store the shared secret with the
RADIUS server on the vault
2. Add the RADIUS configuration in dbparm.ini and restart the PrivateArk service
3. Set the user's Authentication method to RADIUS
4. Enable RADIUS authentication in the PVWA
✔✔CyberArk Two-Factor Authentication - ✔✔You can combine one PVWA method
(PKI, Windows, RSA) with one Vault method (CyberArk, LDAP, RADIUS)
✔✔Which two authentication methods can provide two factor authentication through
native protocols? - ✔✔RADIUS and RSA SecurID
✔✔What is the only two factor authentication method for PSMP? - ✔✔RADIUS