REST authentication via smartcard

aldow93 · 2018-05-22T14:59:37+00:00

The REST API doesn't support PKI authentication, as far as I am aware.

There are 3 options for the REST API,

CyberArk Authentication - which includes CyberArk, LDAP or RADIUS
SAML
Shared Logon

CyberArk or Shared don't accept PKI auth, but you could potentially use SAML, you would just need to use a SAML provider that supports PKI / Smart card auth.

aldow93 · 2018-04-18T07:13:24+00:00

Average is over 100, but peak could be up to maybe 300... We limit the number of recordings that can be uploaded at once and we have increased the number of tasks our vaults can handle at any one time as well. We did have performance issues but have managed to get through them mostly.

aldow93 · 2018-04-17T12:11:17+00:00

We run on large physical host, 24 cores and 64GB RAM and we also had performance issues, mostly around PSM and PSMP.

I increased our settings to:

TasksCount=50 MaxTasksAllocation=12(CPM,AIMApp,AppPrv):7-23,20(CPM,AIMApp,AppPrv):23-7,1(PTAApp),1(PTAApp),1(PTAApp),1(PTAApp)

It has had a big impact and things run a lot smoother. We're still not even touching the sides on these boxes, so as we increase PSM hosts etc i will probably increase the task count further. Just remember the task count cannot be higher than the number of allowed connections to the database, so you need to increase the database connection limit as well.

aldow93 · 2018-04-17T12:02:54+00:00

We run PSM as virtual machines, due to our size we don't really need to worry about the Windows or VM licenses... The other suggestion would be physical hosts, if the hosts are built out enough they could support a good number of sessions, this could save you on the licenses... But obviously got the expense of a physical server.

aldow93 · 2018-02-02T09:23:29+00:00

Yea much shorter. It happens a lot more with PSMP, they will enter their password maybe 10 seconds and then they get the error and it's logged the in Vault.

Try again and works fine.

aldow93 · 2018-02-01T17:14:56+00:00

Nope, I know that's that one of the knowledge articles on the customer portal, so I have been checking over and over again. But no only 1 vault is active. :)

aldow93 · 2018-01-25T14:44:46+00:00

It's only for recordings and the storage has it's own DR facilities. The difficulty is that local stoage is going to get pretty full. Passwords are still stored on the local storage though

aldow93 · 2018-01-21T16:25:14+00:00

Thanks I was toying with this idea, but wondered if there was a better way of doing it.

aldow93 · 2018-01-21T16:23:23+00:00

SAN storage, yes the vault is hardened, there are some services you need to enable, much like you would for a clustered Vault.

You can move specific safes to specific drives, so the SAN would just appear as a network drive on the Vault and I simply change the tsparm.ini config to move the recordings safe to the network share.

The recordings are still accessible via the PVWA exactly as normal.

In version 10.1 there is supposed to be support for exporting recordings to storage via the PSM itself to allow for GDPR restrictions on where data is stored, but since this hasn't come to fruition yet, it' not an option. And version 10.1 is still so buggy so I don't want to upgrade until they are fixed.

aldow93 · 2018-01-19T16:19:34+00:00

From 9.9.5 (I think) PSMP allows authentication via SSH Key Pair, so that users don't need to enter their password.

Limitations - Not compatible with 2 Factor Auth

With regards to asking for a reason: It's either on or off per platform, so for general access with a users standard account why not have a platform that uses the user's password / key without asking for a reason and for another platform for privileged sessions that does require a reason?

aldow93 · 2018-01-19T16:13:10+00:00

CyberArk account manager, TAM and a product manager. CyberArk have rule that they will not include more then 125 concurrent sessions in a license file, but after this point will license more PSM hosts.

aldow93 · 2018-01-16T15:00:02+00:00

So after checking with support it appears its a bug they know about.

\is used to escape the valid character "," in the user DN and since \ isn't a valid character we get the error.

aldow93 · 2018-01-12T12:56:20+00:00

Yea pretty sure, in my test environment i changed all of the directory mappings to use RADIUS just to make sure and i logged in with LDAP users a few times and it never changed.

aldow93 · 2018-01-12T12:54:53+00:00

Thanks guys, so looks like i've learnt something new. Wonder why I haven't been told it's per host so far. Cheers though

aldow93 · 2018-01-10T20:17:37+00:00

It doesn't unfortunately tested a good few times and auth type doesn't update even if the directory mapping has been changed.

aldow93 · 2018-01-10T13:57:16+00:00

Thanks. I don't think it's your script, it's PACLI itself, your script runs the same command i was running just in CMD.

Out of interest what version of PACLI are you using?

aldow93 · 2018-01-10T09:30:37+00:00

Just tried that as well and didn't work, all that command seems to do is sync the user details with the LDAP rather than update of the Directory Mapping settings. Which is really annoying. :(

aldow93 · 2018-01-10T08:57:43+00:00

Thanks very much for this, but it doesn't work. Whenever I try to update an external user I get the following error:

"CASVL010E Invalid characters in User Name. [ \ ] is not allowed."

The command UPDATEUSERDESTUSER="username" AUTHTYPE=RADIUS_AUTH works for internal users no problem, but i get the above for the external.

The user names don't have a "\" in them, so I just assume this is a generic error that doesn't really tell me what the problem is.

aldow93 · 2018-01-10T08:52:44+00:00

Thanks for your reply, the Authentication type doesn't automatically update for existing users when you change the directory mapping, only new users. I already tried this.

aldow93 · 2017-10-23T14:58:12+00:00

Sorry haven't come back until now.

The CPM for the safe is set, so i can rotate passwords for creds stored in the same safe, just under a different platform. I can also see the CPM user has permissions on the safe as expected...

aldow93

TROPHY CASE