sion

Oracle Fusion Middleware : Oracle Identity and Access Management Suite 10g/11gR1/11gR2PS1,PS2,PS3 : OIM | OAM,OAAM,OIF | OID, OVD, DIP | OUD/ ODSEE | Microsft AD | OpenLDAP | ADF | EBS R12 | OECMCCR4 | Business Intelleigence - Bi Publisher | Banking | Demo Applications | Core Java | SQL | PLSQL | Web services | Weblogic | Tomcat | JBoss | OHS | WebGate | WebCenter | In any Queries please Contact Me : info@oratechsoft.com

Search This Blog

Saturday, 2 August 2025

CyberArk : Cyberark PAM integration with PKI Authentication.

Phase 1: Overview & Purpose

Public Key Infrastructure (PKI) allows CyberArk PVWA to authenticate users based on client certificates issued by a trusted Certificate Authority (CA). During login, a secure SSL/TLS handshake ensures:

  • The client presents a valid certificate.

  • The server verifies the certificate’s trust chain and details (Subject/UPN).

  • Optional: Multi-factor support (certificate + password).

Phase 2: Prerequisites

2.1 Vault & PVWA Environment

  • CyberArk Vault and PVWA must be fully installed and accessible.

  • PVWA must be HTTPS-enabled with a CA-signed SSL certificate (not self-signed).

  • Vault must also be TLS-enabled with trusted CA certs.

2.2 LDAP/S Integration (Recommended)

  • LDAP integration must be configured.

  • Vault users must be:

    • Mapped to LDAP users.

    • AuthMethod set to PKI or PKIPN as appropriate.

2.3 Client Certificate Requirements

Each end-user certificate must:

  • Be issued by the same trusted CA configured in PVWA.

  • Include the UPN or sAMAccountName in:

    • Subject or SAN (Subject Alternative Name).

  • Contain the full chain (Root + Intermediates).

  • Be present in the user’s Personal Certificate Store (certmgr.msc > Personal > Certificates).

2.4 Server Certificate Trust Setup

On each PVWA server:

  • Import the Root CA and Intermediate CA certificates into:

    • Trusted Root Certification Authorities

    • Intermediate Certification Authorities (Local Computer store)

Phase 3: PVWA Configuration Steps

3.1 IIS Setup for SSL + Client Certificates

  • Open IIS ManagerDefault Web Site > Bindings.

  • Bind HTTPS to port 443 using the PVWA SSL certificate.

  • In PasswordVault > SSL Settings:

    • Check Require SSL

    • Set Client Certificates to Accept (testing) or Require (production)

3.2 Enable PKI / PKIPN in PVWA UI

  • Log in to PVWA as an Admin.

  • Go to: Administration > Authentication Methods

  • Enable:

    • PKI (Distinguished Name matching)

    • PKIPN (UPN matching from certificate)

3.3 Configure LDAP for PKIPN

In PVWA Admin UI:

  • Go to: Administration > LDAP Integration

  • Under the appropriate profile (e.g., Microsoft AD):

    • Set UserLogonName = userPrincipalName

    • Under LDAP User Mapping, ensure Vault users can be matched by UPN

In web.config under <appSettings>:

<add key="UsePKIPNAlternateUserName" value="yes"/>

🔹 Phase 4: Advanced Configuration (Optional but Recommended)

4.1 Enable Extended Certificate Validation

  • In PVWA UI: Administration > Configuration Options > General

  • Set ValidatePKICertificate = Yes

Conditions required for validation:

  • No Elliptic Curve keys

  • Client cert includes Client Authentication in Extended Key Usage

  • CA has CA=True in Basic Constraints

  • No SHA1/MD5 used in signature

  • Cert is not self-signed

4.2 Configure web.config for PKI/PKIPN

Location: C:\inetpub\wwwroot\PasswordVault\web.config

For PKI:
No changes needed in the handler if already using:

xml

<add name="PKIAuth" type="CyberArk.Authentication.PKIAuthentication, CyberArk.Authentication.PKI" preCondition="managedHandler"/>

For PKIPN:
Replace with:

xml

<add name="PKIAuth" type="CyberArk.Authentication.PKIPNAuthentication, CyberArk.Authentication.PKIPN" preCondition="managedHandler"/>

 Also, copy CyberArk.Authentication.PKIPN.dll into:
C:\inetpub\wwwroot\PasswordVault\bin

4.3 Validate Certificate Issuer (Restrict Allowed CA)

In web.config under <appSettings>:

xml

<add key="PKIAuthorizedIssuer" value="CN=Your-CA-Name, DC=domain, DC=com" />

Use either:

  • Full Distinguished Name (DN), or

  • Simple Common Name (CN)

Examples:

xml

<add key="PKIAuthorizedIssuer" value="CN=corp-DC01-CA, DC=corp, DC=com" />
<add key="PKIAuthorizedIssuer" value="corp-DC01-CA" />

Phase 5: Testing & Validation

5.1 Test Login via PVWA

  • URL: https://pvwa.domain.com/PasswordVault

  • Attach Smart Card or ensure client cert is installed.

  • Browser behavior:

    • Either auto-authenticates the user

    • Or prompts user to select a valid certificate

5.2 Troubleshooting

If login fails:

  •  Check certificate trust chain

  • Verify UPN/DN matches Vault user

  • Confirm AuthMethod = PKI or PKIPN

  • Ensure IIS client cert mode is correct

  • Use supported browsers (Chrome, Edge, IE)

  • Review logs:

    • C:\inetpub\wwwroot\PasswordVault\Logs


Step by step screenshots for your reference:
--------------------------------------------

1. Vault Configured with CA Certificate 





2. Update the Domain Issuer details in the Webcomic file. 



3. update the applicationHost.config

Location: %WinDir%\System32\Inetsrv\Config\applicationHost.config.



4. Import the user (Username) certificate on PVWA and Client Machine (Testing Machine) 



5. Verify the installed certificate is updated in Brower level. 



6. Update the PKI Enable on PVWA Configuration Console

A. General Level 



B. Authentication Level 




7. User Group Mapping with External Authentication Like PKI (On Top-up LDAP) 




8. Login user PVWA with PKI authentication Method









Happy learning!!






Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)