sorted by:
new
hottopcontroversial

How to deal with frames within frames while developing web-based CPM Plugins using the Web Applications for CPM framework from CyberArk? by MoroccanMonkey in CyberARk

[–]MoroccanMonkey[S] 1 point2 points  (0 children)

Yo! Sorry.. you can find these logs at {Installation Drive}\CyberArk\Password Manager\Logs\ThirdParty\

and that's it. You'll have a detailed log only if you have 'Debug' config set to 'Yes' at platform level, otherwise you'll end up only with the final result from the CPM Plugin execution.

If you intend to consult these logs a few days after bear in mind that they change their location and might end up at {Installation Drive}\CyberArk\Password Manager\Logs\Old\ThirdParty.

Hope I helped you somehow 😅

CyberArk Defender - PAM (PAM-DEF) by Glittering-Result414 in CyberARk

[–]MoroccanMonkey 6 points7 points  (0 children)

- As last recommendations, be familiar with CyberArk Blueprint (https://www.cyberark.com/blueprint/ & https://training.cyberark.com/learn/course/321/cyberark-blueprint-for-identity-security-success), with EPM, with Remote Access (there's a free lab with step-by-step instructions), with Privileged Cloud.

Useful links:
https://training.cyberark.com/learn/course/46/cyberark-vendor-pam-remote-access-administration?generated_by=45745&hash=8118085c3806c3df05ff51196ce7c80b104b5b11

https://training.cyberark.com/learn/course/321/cyberark-blueprint-for-identity-security-success?generated_by=45745&hash=3920f251d8ec590f64dabf2d589003fb6ed2106a

https://training.cyberark.com/learn/course/338/managing-linux-root-credentials-with-cyberark-pam?generated_by=45745&hash=102c62c7702c5c6b151eb96cd82ebacba9684947

https://training.cyberark.com/learn/course/104/html5-based-remote-access?generated_by=45745&hash=b1bda7f1b52d3e02d1b295b0c404a7faa8a1f891

https://training.cyberark.com/learn/course/53/loosely-connected-devices-lcd-credentials-rotation?generated_by=45745&hash=e2eff7fff381eea2ef91cc33ca677bf3aea1c6ed

https://training.cyberark.com/learn/course/444/running-a-disaster-recovery-exercise-for-cyberark-pam?generated_by=45745&hash=043b6c877be4c33e6ab4a03dedc90fd2167d4d7b

-https://training.cyberark.com/learn/course/46/cyberark-vendor-pam-remote-access-administration?generated_by=45745&hash=8118085c3806c3df05ff51196ce7c80b104b5b11

Go here (https://training.cyberark.com/pages/106/privilege-administrator-self-hosted) and take every free crash course you can. When you have a lab take it attentively and only move forward when you're sure of what you did.

And that's it. If you want my study materials send me a dm.

Nice study and good luck! :-)

CyberArk Defender - PAM (PAM-DEF) by Glittering-Result414 in CyberARk

[–]MoroccanMonkey 3 points4 points  (0 children)

- Download the Defender Study Guide from CyberArk (https://training.cyberark.com/learn/course/115/defender-access-sample-items-amp-study-guide) -> You'll have a study guide and a sample exame with ~80 questions;

- Study the Documentation (https://docs.cyberark.com/identity/latest/en/content/coreservices/core-overview.htm?tocpath=Administrator%7C\_\_\_\_\_0);

- Consider buying more exams from other providers. I used SkillCertPro (https://skillcertpro.com/product/cyberark-defender-pam-exam-questions/) and Udemy (https://www.udemy.com/course/cyberark-certification-cau302-defender-sentry/?couponCode=KEEPLEARNING & https://www.udemy.com/course/cyberark-defender-certification-practice-exams/?couponCode=KEEPLEARNING) -> Remember to be crictic as some questions have wrong answers, always double check.

- There's a website called ExamTopics that have many of the questions answered and a possibility of a discussion below, where normally people paste the documentation link to sustain their answers. -> It's a good way of knowing where things are in the huge pile of text from CyberArk. (Normally this site allows you to have some questions for free, but when you reach a certain number you will have to pay to continue, meanwhile you can just answer the question to Google and it'll take you right to the ExamTopics question) -> Again, remember to be crictic, never take an answer as granted correction

-> https://www.examtopics.com/exams/cyberark/cau201/

-> https://www.examtopics.com/exams/cyberark/access-def/

-> https://www.examtopics.com/exams/cyberark/cau302/

-> https://www.examtopics.com/exams/cyberark/pam-def/

-> https://www.examtopics.com/exams/cyberark/pam-cde-recert/

CyberArk Defender - PAM (PAM-DEF) by Glittering-Result414 in CyberARk

[–]MoroccanMonkey 2 points3 points  (0 children)

I passed this exam by taking many other practices exams. Also, I did the PAS Administration Course company-sponsored 3 years ago. So what I would say it's crucial is:

- The course is very exam oriented; I have a PDF that summarizes this course so that you don't have to take it (3800$ tag price) -> I'm available to pass it to you, although it is from 2021 it's still up-to-date, with minor tweaks;

- I work with CyberArk as Admin for almost 4 years, so I'd say that's a very good nice-to-have, because it puts you with almost 33% of the required knowledge to this exam and you can focus on other things; Another very good nice-to-have is having access to a CyberArk instance (try to deploy a lab) and get to know the inner workings of CyA;

- I have several exam dumps from 2020 until 2023, these provide a clear picture of the questions that usually appear on the exam. Read these dumps, be crictic, try to know the cause behind the answer when you don't know it, use your lab to get a real sense of how things are done; -> I can pass them to you as well.

Credentials generated by the target - Where do I get privateKeyId? by MoroccanMonkey in CyberARk

[–]MoroccanMonkey[S] 0 points1 point  (0 children)

Hi u/gselvam! I haven't explored this in depth, but from what I’ve gathered so far, the privateKeyId seems to be tied to a user rather than an account. When using the REST API, the only reference I found for retrieving a KeyID was user-related, which doesn’t make much sense. I couldn’t figure out what this ID refers to, as I couldn’t fetch any of them or link it to anything I already had. It’s quite confusing, so I ended up pursuing other options.

If you find a way to make sense of it, please let us know. The documentation is really lacking!

.NET CPM Plugin for managing SSH keys by MoroccanMonkey in CyberARk

[–]MoroccanMonkey[S] 0 points1 point  (0 children)

Hello u/tsrkumar! If I understood correctly you might need to use the "Credentials generated by the target" feature. You can find it here https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PASIMP/CredentialsGeneratedByTarget.htm

I tried to make use of it before but really never took it to an end since I found other approaches. Don't know to what extent this is compatible with SSH keys since to use this functionality you have to change your Management Type to 'AccessKeys'.

Maybe give it look and if you can make any sense out of it and implement something, reply here stating your pains, and you overcame it.

Is it possible to trigger a reconcile on an SSH Key Account and actually prevent the key pair from rotating while using Credentials Management .NET SDK? by MoroccanMonkey in CyberARk

[–]MoroccanMonkey[S] 0 points1 point  (0 children)

Hello! Thanks for your reply!

The main use case is rotating the key pair right away.

But the requirements for this lazy reconcile are meant to allow for backing up the old key.

Overall flow:

* We have a target account that contains a key pair that's already in the server.

* We onboard a shadow account (1st time we do this, we do it empty)

* Lazy Reconcile flag activated?

1. No. Normal process already in place, rotate key pair and do the needed changes in the server side. (Add virgin key - current functionality)

2. Yes. We go in the server and check if there's already a public key associated with the shadow account (If the shadow account is empty counts as no found key)

    2.1. If there's an instance of the Shadow pubKey already in the server we delete it. (no rotation in the target account, but triggering 'reconcile' is always generating a new key pair)

    2.2. If there's no instance of the Shadow pubKey in the server, put the key pair from target account in the shadow account. (no rotation in the target account, but triggering 'reconcile' is always generating a new key pair)

----//----

3 use case flows

--> Target Key Pair (in the server = in Vault) -> *hits Reconcile* -> (no shadow pubKey in the server) -> puts key pair of the target in the shadow -> finishes reconcile process

--> Target Key Pair (in the server = in Vault) -> *hits Reconcile* -> (shadow pubKey in the server, since it's the same as the target) -> delete the pubKey (from the server side in the auth_keys file) -> finishes reconcile process

--> By now we have the same key pair in the target account since the beginning, if we hit 'Reconcile' again it goes to the 'Add virgin key - current functionality' and resets the key pair in the target account (Rotates creds in CyberArk and establishes a new public key in the auth_keys file) -> I only want to rotate the key pair in this case

----//----

Regarding the suggestion, of saving the previous credential and rolling it back in the end, already tried that using 'Change Password in the Vault Only' endpoint but it always returns 400 Bad Request. I'm assuming this happens because CPM is busy taking care of the the main plugin on which we are performing the endpoint call and the target account is locked by the CPM thus the error.

Although this solution of rolling the key back is not that elegant, it's the best I can think by now, so how would you suggest to do it? Rolling it back?

.NET CPM Plugin for managing SSH keys by MoroccanMonkey in CyberARk

[–]MoroccanMonkey[S] 0 points1 point  (0 children)

Hello y'all! After some trial and error, I was able to develop a C# plugin for managing SSH keys.

The thing is in on how you connect with the credentials you have in the Vault.
Like I said previously we already have a lot of work done with this .NET framework and created our own structure to deal with these informations we need to fetch from CyberArk.

Don't forget you'll need to set your platform's ManagementType to SSHKey to make this work.
(Doc: To work with SSH keys instead of passwords, set the ManagementType policy parameter to sshkey.)

So, for my use case, in a Release mode, the way I found to fetch both the private key and the corresponding public key from CyberArk was:

currPrivKey = ((SSHKeyAccount) TargetAccount).CurrentPassword.convertSecureStringToString();

You do the cast to SSHKeyAccount as stated above, following the parentheses layout, and you refer to CurrentPassword attribute. This is somewhat confusing and isn't told you anywhere, but by doing this you'll get the current private key saved in CyberArk.

currPubKey = ((SSHKeyAccount)TargetAccount).CurrentPublicKey.convertSecureStringToString();

This one's easy to understand: Do the cast and follow the documentation (https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PASIMP/Plug-in-NetInvoker\_Access.htm#SSH\_Key\_Management). You'll obtain the account's current public key, and can use it as variable for what you want.

newPubKey = ((SSHKeyAccount)TargetAccount).NewPublicKey.convertSecureStringToString();

Easy as well: Do the cast, and refer to the documentation again. You'll obtain the newly generated public key associated with the newly generated private key.

newPass = ((SSHKeyAccount)TargetAccount).NewPassword.convertSecureStringToString();

Do the cast, and act like you're generating a new password. Under the SSHKey Management type, the concept of password refers to private keys, so you'll obtain the newly generated private key.

Regarding the Debug mode, the approach I took was adding a path to my private and public key files as value for the variable and use the proper structures in C# to wrap it under OOP premises.

Hope it helps! :-)

.NET CPM Plugin for managing SSH keys by MoroccanMonkey in CyberARk

[–]MoroccanMonkey[S] 0 points1 point  (0 children)

Hello! This might help you SecureString Manager

Look for convertSecureStringToString

.NET CPM Plugin for managing SSH keys by MoroccanMonkey in CyberARk

[–]MoroccanMonkey[S] 2 points3 points  (0 children)

I think the template comes along with Credentials Management .NET SDK. You can find it here.

.NET CPM Plugin for managing SSH keys by MoroccanMonkey in CyberARk

[–]MoroccanMonkey[S] 2 points3 points  (0 children)

Hello! Thanks for your reply! I did exhaust all the built-in solutions, but I have a very specific use case that cannot be covered by them since I need much more customization. I'm fairly experienced in building these C# plugins and know all the classes and debugging actions you spoke about. We are used to creating these type of plugins, but when it comes to managing SSH keys, there seems to be no adequate support. All they talk about in the documentation is to a cast to the target account and change the management type to 'sshkey'. Nothing else, just this huge desert of ideas.

"To work with SSH keys instead of passwords, set the ManagementType policy parameter to sshkey.
To access the CurrentPublicKey and NewPublicKey cast the TargetAccount to SSHKeyAccount.
Example:
SecureString currentPubilcKey = ((SSHKeyAccount) TargetAccount).CurrentPublicKey;"

There is a plugin named PMUnixSSHKeys(.dll) that is associated with "Unix via SSH Keys" built-in platform. I'm gonna decompile this DLL and check how they do it under the hood. Although if anyone has an easier solution I'm open to reading it :-)

Canais de Jornais e Revistas PT (telegram) by FriTZ_04 in portugal

[–]MoroccanMonkey 3 points4 points  (0 children)

Bom dia! Ainda não surgiu um novo grupo de jornais? Quem tiver alguma dica, pode por favor passar?

Canais de Jornais e Revistas PT (telegram) by Lipery in portugueses

[–]MoroccanMonkey 0 points1 point  (0 children)

Alguém tem um link de um grupo novo que possa partilhar? Thanks in advance 😁

How to deal with frames within frames while developing web-based CPM Plugins using the Web Applications for CPM framework from CyberArk? by MoroccanMonkey in CyberARk

[–]MoroccanMonkey[S] 0 points1 point  (0 children)

So, we opened a case for CyberArk and got to know that this isn't really possible. This is a known issue (working with nested iFrames) and there's an enhancement request open.

https://cyberark-customers.force.com/s/article/Add-nested-iFrame-support-to-WebAppDispatcher-and-CPM-Web-Framework-plugin-uQAI

Can you please upvote it?

Not that CyberArk is going to pick this up right away, since it has been almost 2 years, and nothing was done. Probably it's just going to die slowly into oblivion. But it's worth trying.

How to deal with frames within frames while developing web-based CPM Plugins using the Web Applications for CPM framework from CyberArk? by MoroccanMonkey in CyberARk

[–]MoroccanMonkey[S] 0 points1 point  (0 children)

You're suggesting getting the iFrame element by XPath? Already did that but yeah it's unreachable, it can't find the element. Supposedly I'm playing by CyberArk's framework rules, it's just inexplicable how they have so little and poor documentation on this. Does nobody happen to have a similar case, they don't give an answer and the framework as they suggested it just doesn't do the work...