sion

Oracle Fusion Middleware : Oracle Identity and Access Management Suite 10g/11gR1/11gR2PS1,PS2,PS3 : OIM | OAM,OAAM,OIF | OID, OVD, DIP | OUD/ ODSEE | Microsft AD | OpenLDAP | ADF | EBS R12 | OECMCCR4 | Business Intelleigence - Bi Publisher | Banking | Demo Applications | Core Java | SQL | PLSQL | Web services | Weblogic | Tomcat | JBoss | OHS | WebGate | WebCenter | In any Queries please Contact Me : info@oratechsoft.com

Search This Blog

Thursday, 16 April 2026

CyberArk PTA 14.6.1 Installation and Configuration

Production SOP for RHEL/CentOS

This document provides a structured, production-ready procedure for installing and configuring CyberArk Privileged Threat Analytics (PTA) version 14.6.1. The focus is on correctness, repeatability, and eliminating common failure points.

1. Environment Overview

Operating System: RHEL / CentOS 7.9 (Minimal)
CPU / Memory: 8 vCPU / 16 GB RAM
Disk: 500 GB
Domain: corp.com

Components:

  • Vault: 10.0.20.201
  • PVWA: 10.0.20.203
  • PTA: 10.0.20.206

2. Vault and PVWA Pre-Requisites

2.1 Vault Configuration

Create the following users using PrivateArk Client:

  • PTAAppUser (Application type)
  • PTAGWUser (Gateway type)

Grant permissions in the PasswordVault safe:

  • List Accounts
  • Retrieve Accounts
  • View Safe Members

Update the Vault configuration file:

C:\Program Files (x86)\PrivateArk\Server\Conf\dbparm.ini

Add:

AllowNonStandardUserTypes=Yes

Restart the PrivateArk Server service.

Failure to apply this setting results in PTA authentication issues.

2.2 PVWA Configuration

Enable double escaping in IIS:

cd %windir%\system32\inetsrv

appcmd set config "Default Web Site/PasswordVault" ^
-section:system.webServer/security/requestFiltering ^
/allowDoubleEscaping:"True" /commit:apphost

iisreset

If this step is skipped, PTA API communication will fail (commonly observed as P023 errors).

3. PTA Server Base OS Configuration

3.1 Hostname and DNS

hostnamectl set-hostname pta.corp.com

Update /etc/hosts to ensure bidirectional resolution for Vault, PVWA, and PTA.

3.2 SELinux Configuration

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0

PTA is not supported with SELinux in enforcing mode.

3.3 Time Synchronization

dnf install -y chrony
systemctl enable --now chronyd

Time skew greater than five minutes causes authentication failures.

3.4 Required Packages

dnf update -y

dnf install -y unzip tar net-tools bind-utils curl telnet rsyslog \
policycoreutils-python-utils iptables-nft-services tmpwatch sshpass libnsl

systemctl enable --now rsyslog

3.5 Firewall Configuration

systemctl disable --now firewalld

PTA manages iptables internally.

3.6 Reboot

reboot

4. PTA Installation

mkdir -p /opt/PTA
cd /opt/PTA

unzip PTA-Installer-Rls-v14.6.1.zip
chmod +x pta_installer.sh

./pta_installer.sh

Installation directories:

  • /opt/pta
  • /opt/tomcat

5. Certificate Trust Configuration

5.1 Import CA into OS Trust

cp domain.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

5.2 Import CA into Java Truststore

/opt/pta/infra/jvm/jre17/bin/keytool -import \
-alias pvwa-rootca \
-keystore /opt/pta/infra/jvm/jre17/lib/security/cacerts \
-file domain.crt \
-storepass changeit \
-noprompt

OS-level trust is not sufficient. PTA relies on Java truststore for outbound communication.

6. PTA Pre-Configuration Wizard

Run:

/opt/tomcat/prepwiz/run.sh

Provide the following critical inputs:

  • Vault IP: 10.0.20.201
  • Vault Port: 1858
  • securityModuleTrustedConnection: Yes
  • PVWA Address: pvwa.corp.com
  • PVWA Port: 443
  • Authorized Sources: Vault and PVWA IP addresses

Incorrect values here result in authentication failures and diagnostic errors.

7. Tomcat Keystore Alias Fix

After running prepwiz, update the Tomcat configuration:

sed -i 's|keystorePass=".*"|& keyAlias="1"|' /etc/opt/pta/tomcat/server.xml

Without this fix, the PTA service will not bind to port 8443.

8. Start and Validate Services

systemctl start appmgr

Verify Listening Ports

ss -tlnp | grep -E '8080|8443|11514'

Test PTA UI

curl -kI https://localhost:8443

Test PVWA API Connectivity

curl -sk -X POST https://pvwa.corp.com/PasswordVault/api/auth/CyberArk/Logon \
-H "Content-Type: application/json" \
-d '{"username":"Administrator","password":"<password>"}'

If this API call fails, PTA integration is not functioning.

9. Post-Installation Configuration

Access PTA UI:

https://<PTA-IP>:8443

Complete the following:

  • Change administrator password
  • Upload license
  • Configure AD connectivity (GC port 3269)
  • Validate PVWA connectivity
  • Configure SMTP and SIEM

10. Vault Syslog Integration

On Vault server, update:

dbparm.ini

Add:

SyslogServerIP=10.0.20.206
SyslogServerPort=11514
SyslogServerProtocol=UDP

Restart Vault service.

Without syslog integration, PTA will not receive audit data.

11. Hardening

sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd

12. Common Failure Scenarios

12.1 PTA UI Not Accessible on Port 8443

  • Cause: Keystore alias mismatch
  • Fix: Set keyAlias="1" in server.xml

12.2 P023 Diagnostic Failure

  • Cause: Double escaping disabled in PVWA
  • Fix: Enable via IIS appcmd

12.3 Authentication Failures (401 Errors)

  • Cause: Trusted connection disabled
  • Fix: Set securityModuleTrustedConnection to Yes

12.4 SSL Works via Curl but PTA Fails

  • Cause: Missing CA in Java truststore
  • Fix: Import certificate using keytool

13. Engineering Takeaways

Two practices determine whether this deployment succeeds or fails:

Configuration Discipline

  • Applying Vault and PVWA prerequisites correctly versus assuming defaults
  • Importing certificates into Java truststore rather than relying only on OS-level trust

Validation Approach

  • Verifying API connectivity manually instead of assuming success
  • Checking service ports explicitly instead of relying on service status
Posted by at No comments:

Saturday, 21 March 2026

CyberArk PSM for SSH (PSMP) 15.x

 

CyberArk PSM for SSH (PSMP) 15.x

Installation and Configuration Guide (Rocky Linux / RHEL 8.x)

1. Introduction

This document provides detailed step-by-step instructions for installing and configuring CyberArk Privileged Session Manager for SSH (PSMP) version 15.x on a Rocky Linux / RHEL 8.x server.

PSMP enables secure proxy-based SSH access to target systems via CyberArk Vault without exposing credentials to end users.

2. Prerequisites

2.1 Supported Operating System

Verify that the operating system is supported.

Command:

cat /etc/os-release

Ensure the OS is Rocky Linux 8.x or RHEL 8.x.

2.2 CyberArk License Requirements

Ensure that the CyberArk license includes:

  • PSMPServer
  • PSMPApp access

Installation will not proceed without a valid license.

2.3 Vault Connectivity

Verify connectivity between PSMP server and Vault.

Commands:

ping <Vault-IP>
telnet <Vault-IP> 1858

Ensure required ports are open:

  • 1858 / 1859 (Vault)
  • 443 (PVWA if TLS used)

2.4 Required Vault Permissions

The Vault user used during installation must have:

  • Add Safes
  • Audit Users
  • Add/Update Users
  • Manage Server File Categories
  • Ownership of PVWAConfig Safe with:
    • List Accounts
    • Retrieve Accounts
    • Manage Safe Owners

2.5 SELinux Configuration

Check SELinux status:

getenforce

Install required package:

yum install -y policycoreutils-python-utils

SELinux should be in enforcing mode before installation.

2.6 Disable NSCD (If Installed)

Check:

rpm -qa | grep nscd

If installed:

systemctl stop nscd.service nscd.socket
systemctl disable nscd.service nscd.socket

2.7 Create Local Administrative User

useradd psmpadmin
passwd psmpadmin

This user is used for server administration.

3. Prepare Installation Files

Create installation directory:

mkdir -p /opt/CARKpsmp
cd /opt/CARKpsmp

Copy the following files:

  • CARKpsmp-15.x.x.x.rpm
  • psmpparms.sample
  • RPM-GPG-KEY-CyberArk

3.1 Verify RPM Signature

rpm --import RPM-GPG-KEY-CyberArk
rpm -K -v CARKpsmp-15.x.x.x.rpm

Ensure output shows “OK”.

4. Create Parameter File (psmpparms)

Copy sample file:

cp psmpparms.sample psmpparms
vi psmpparms

4.1 Mandatory Parameters

AcceptCyberArkEULA=Yes
Hardening=Yes

4.2 Recommended Parameters

EnablePSMPRestService=Yes
PSMPCreateEnvRetryTimeout=1
PSMPCreateEnvClientsCount=10

4.3 Optional Parameter

EnableADBridge=Yes

4.4 Move Parameter File

mv psmpparms /var/tmp/

This location is mandatory.

5. Install PSMP Package

Run installation:

rpm -ivh CARKpsmp-15.x.x.x.rpm

Installation runs non-interactively.

Expected output:
“Installation process was completed successfully.”

6. Vault Registration (Finalize Step)

This is the most critical step.

6.1 Create vault.ini File

cp /opt/CARKpsmp/doc/examples/vault.ini /root/vault.ini
vi /root/vault.ini

Mandatory Parameter

Address=<Vault-IP-or-Hostname>

Optional TLS Configuration

VaultCommunicationProtocol=TLS
TLSVersions=TLS_1_2
TLSPort=443

6.2 Create Credential File

cd /opt/CARKpsmp/bin
./createcredfile user.cred

Provide:

  • Vault username
  • Password
  • Enable entropy (recommended)

6.3 Execute Finalize Script

/opt/CARKpsmp/bin/psmp_setup.sh --finalize --vault-ini /root/vault.ini --credfile /opt/CARKpsmp/bin/user.cred

6.4 Expected Output

PSM for SSH service instance registered in Vault and enabled.
All configuration tasks were completed successfully.

7. Verification

7.1 Check Running Processes

ps -ef | grep psmp

Expected processes:

  • psmpserver
  • psmpadbserver
  • psmprestservice

7.2 Check Service

systemctl status psmpsrv

Expected:

active (exited)

This is normal behavior.

7.3 Check Logs

tail -f /var/opt/CARKpsmp/logs/PSMPConsole.log

8. Functional Testing

8.1 Test SSH Access via PSMP

From client machine:

ssh <vault-user>@<psmp-server>

This validates:

  • Vault integration
  • PSMP proxy functionality

9. Post-Installation Tasks

9.1 Verify ADBridge Service

systemctl status psmpsrv-psmpadbserver

9.2 Enable SFTP (Optional)

Edit SSH configuration:

vi /etc/ssh/sshd_config

Uncomment:

Subsystem sftp /usr/libexec/openssh/sftp-server

Restart SSH:

systemctl restart sshd

9.3 Remove Sensitive Files

rm -f /opt/CARKpsmp/bin/user.cred
rm -f /root/vault.ini

9.4 Verify Time Synchronization

timedatectl

9.5 Firewall Configuration

Ensure the following ports are open:

  • 22 (SSH to PSMP)
  • 1858 (PSMP to Vault)
  • 443 (PSMP to PVWA if TLS)

10. Optional Integrations

10.1 LDAP Integration (AD Bridge)

  • Enable ADBridge
  • Configure LDAP settings in Vault

10.2 RADIUS Integration

  • Configure RADIUS in Vault
  • PSMP authentication will follow Vault settings

11. Troubleshooting

Issue: Service shows “active (exited)”

Resolution: This is expected behavior.

Issue: Vault registration fails

Check:

  • Network connectivity
  • Vault user permissions
  • TLS configuration

Issue: SSH connection fails

Check:

ss -tulnp | grep 22
firewall-cmd --list-all

Issue: SELinux blocking

Temporary test:

setenforce 0

Issue: Port conflicts

netstat -tulnp | grep 18923

12. Architecture Flow

User connects to PSMP via SSH
PSMP authenticates user via Vault
PSMP proxies session to target system
Session is controlled and audited

13. Conclusion

The PSM for SSH installation and configuration is complete once:

  • Vault registration is successful
  • PSMP services are running
  • SSH access through PSMP is validated



Posted by at No comments:
Subscribe to: Posts (Atom)