sion

Oracle Fusion Middleware : Oracle Identity and Access Management Suite 10g/11gR1/11gR2PS1,PS2,PS3 : OIM | OAM,OAAM,OIF | OID, OVD, DIP | OUD/ ODSEE | Microsft AD | OpenLDAP | ADF | EBS R12 | OECMCCR4 | Business Intelleigence - Bi Publisher | Banking | Demo Applications | Core Java | SQL | PLSQL | Web services | Weblogic | Tomcat | JBoss | OHS | WebGate | WebCenter | In any Queries please Contact Me : info@oratechsoft.com

Search This Blog

Saturday, 21 March 2026

CyberArk PSM for SSH (PSMP) 15.x

 

CyberArk PSM for SSH (PSMP) 15.x

Installation and Configuration Guide (Rocky Linux / RHEL 8.x)

1. Introduction

This document provides detailed step-by-step instructions for installing and configuring CyberArk Privileged Session Manager for SSH (PSMP) version 15.x on a Rocky Linux / RHEL 8.x server.

PSMP enables secure proxy-based SSH access to target systems via CyberArk Vault without exposing credentials to end users.

2. Prerequisites

2.1 Supported Operating System

Verify that the operating system is supported.

Command:

cat /etc/os-release

Ensure the OS is Rocky Linux 8.x or RHEL 8.x.

2.2 CyberArk License Requirements

Ensure that the CyberArk license includes:

  • PSMPServer
  • PSMPApp access

Installation will not proceed without a valid license.

2.3 Vault Connectivity

Verify connectivity between PSMP server and Vault.

Commands:

ping <Vault-IP>
telnet <Vault-IP> 1858

Ensure required ports are open:

  • 1858 / 1859 (Vault)
  • 443 (PVWA if TLS used)

2.4 Required Vault Permissions

The Vault user used during installation must have:

  • Add Safes
  • Audit Users
  • Add/Update Users
  • Manage Server File Categories
  • Ownership of PVWAConfig Safe with:
    • List Accounts
    • Retrieve Accounts
    • Manage Safe Owners

2.5 SELinux Configuration

Check SELinux status:

getenforce

Install required package:

yum install -y policycoreutils-python-utils

SELinux should be in enforcing mode before installation.

2.6 Disable NSCD (If Installed)

Check:

rpm -qa | grep nscd

If installed:

systemctl stop nscd.service nscd.socket
systemctl disable nscd.service nscd.socket

2.7 Create Local Administrative User

useradd psmpadmin
passwd psmpadmin

This user is used for server administration.

3. Prepare Installation Files

Create installation directory:

mkdir -p /opt/CARKpsmp
cd /opt/CARKpsmp

Copy the following files:

  • CARKpsmp-15.x.x.x.rpm
  • psmpparms.sample
  • RPM-GPG-KEY-CyberArk

3.1 Verify RPM Signature

rpm --import RPM-GPG-KEY-CyberArk
rpm -K -v CARKpsmp-15.x.x.x.rpm

Ensure output shows “OK”.

4. Create Parameter File (psmpparms)

Copy sample file:

cp psmpparms.sample psmpparms
vi psmpparms

4.1 Mandatory Parameters

AcceptCyberArkEULA=Yes
Hardening=Yes

4.2 Recommended Parameters

EnablePSMPRestService=Yes
PSMPCreateEnvRetryTimeout=1
PSMPCreateEnvClientsCount=10

4.3 Optional Parameter

EnableADBridge=Yes

4.4 Move Parameter File

mv psmpparms /var/tmp/

This location is mandatory.

5. Install PSMP Package

Run installation:

rpm -ivh CARKpsmp-15.x.x.x.rpm

Installation runs non-interactively.

Expected output:
“Installation process was completed successfully.”

6. Vault Registration (Finalize Step)

This is the most critical step.

6.1 Create vault.ini File

cp /opt/CARKpsmp/doc/examples/vault.ini /root/vault.ini
vi /root/vault.ini

Mandatory Parameter

Address=<Vault-IP-or-Hostname>

Optional TLS Configuration

VaultCommunicationProtocol=TLS
TLSVersions=TLS_1_2
TLSPort=443

6.2 Create Credential File

cd /opt/CARKpsmp/bin
./createcredfile user.cred

Provide:

  • Vault username
  • Password
  • Enable entropy (recommended)

6.3 Execute Finalize Script

/opt/CARKpsmp/bin/psmp_setup.sh --finalize --vault-ini /root/vault.ini --credfile /opt/CARKpsmp/bin/user.cred

6.4 Expected Output

PSM for SSH service instance registered in Vault and enabled.
All configuration tasks were completed successfully.

7. Verification

7.1 Check Running Processes

ps -ef | grep psmp

Expected processes:

  • psmpserver
  • psmpadbserver
  • psmprestservice

7.2 Check Service

systemctl status psmpsrv

Expected:

active (exited)

This is normal behavior.

7.3 Check Logs

tail -f /var/opt/CARKpsmp/logs/PSMPConsole.log

8. Functional Testing

8.1 Test SSH Access via PSMP

From client machine:

ssh <vault-user>@<psmp-server>

This validates:

  • Vault integration
  • PSMP proxy functionality

9. Post-Installation Tasks

9.1 Verify ADBridge Service

systemctl status psmpsrv-psmpadbserver

9.2 Enable SFTP (Optional)

Edit SSH configuration:

vi /etc/ssh/sshd_config

Uncomment:

Subsystem sftp /usr/libexec/openssh/sftp-server

Restart SSH:

systemctl restart sshd

9.3 Remove Sensitive Files

rm -f /opt/CARKpsmp/bin/user.cred
rm -f /root/vault.ini

9.4 Verify Time Synchronization

timedatectl

9.5 Firewall Configuration

Ensure the following ports are open:

  • 22 (SSH to PSMP)
  • 1858 (PSMP to Vault)
  • 443 (PSMP to PVWA if TLS)

10. Optional Integrations

10.1 LDAP Integration (AD Bridge)

  • Enable ADBridge
  • Configure LDAP settings in Vault

10.2 RADIUS Integration

  • Configure RADIUS in Vault
  • PSMP authentication will follow Vault settings

11. Troubleshooting

Issue: Service shows “active (exited)”

Resolution: This is expected behavior.

Issue: Vault registration fails

Check:

  • Network connectivity
  • Vault user permissions
  • TLS configuration

Issue: SSH connection fails

Check:

ss -tulnp | grep 22
firewall-cmd --list-all

Issue: SELinux blocking

Temporary test:

setenforce 0

Issue: Port conflicts

netstat -tulnp | grep 18923

12. Architecture Flow

User connects to PSMP via SSH
PSMP authenticates user via Vault
PSMP proxies session to target system
Session is controlled and audited

13. Conclusion

The PSM for SSH installation and configuration is complete once:

  • Vault registration is successful
  • PSMP services are running
  • SSH access through PSMP is validated



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)