sion

Oracle Fusion Middleware : Oracle Identity and Access Management Suite 10g/11gR1/11gR2PS1,PS2,PS3 : OIM | OAM,OAAM,OIF | OID, OVD, DIP | OUD/ ODSEE | Microsft AD | OpenLDAP | ADF | EBS R12 | OECMCCR4 | Business Intelleigence - Bi Publisher | Banking | Demo Applications | Core Java | SQL | PLSQL | Web services | Weblogic | Tomcat | JBoss | OHS | WebGate | WebCenter | In any Queries please Contact Me : info@oratechsoft.com

Search This Blog

Thursday, 16 April 2026

CyberArk PTA 14.6.1 Installation and Configuration

Production SOP for RHEL/CentOS

This document provides a structured, production-ready procedure for installing and configuring CyberArk Privileged Threat Analytics (PTA) version 14.6.1. The focus is on correctness, repeatability, and eliminating common failure points.

1. Environment Overview

Operating System: RHEL / CentOS 7.9 (Minimal)
CPU / Memory: 8 vCPU / 16 GB RAM
Disk: 500 GB
Domain: corp.com

Components:

  • Vault: 10.0.20.201
  • PVWA: 10.0.20.203
  • PTA: 10.0.20.206

2. Vault and PVWA Pre-Requisites

2.1 Vault Configuration

Create the following users using PrivateArk Client:

  • PTAAppUser (Application type)
  • PTAGWUser (Gateway type)

Grant permissions in the PasswordVault safe:

  • List Accounts
  • Retrieve Accounts
  • View Safe Members

Update the Vault configuration file:

C:\Program Files (x86)\PrivateArk\Server\Conf\dbparm.ini

Add:

AllowNonStandardUserTypes=Yes

Restart the PrivateArk Server service.

Failure to apply this setting results in PTA authentication issues.

2.2 PVWA Configuration

Enable double escaping in IIS:

cd %windir%\system32\inetsrv

appcmd set config "Default Web Site/PasswordVault" ^
-section:system.webServer/security/requestFiltering ^
/allowDoubleEscaping:"True" /commit:apphost

iisreset

If this step is skipped, PTA API communication will fail (commonly observed as P023 errors).

3. PTA Server Base OS Configuration

3.1 Hostname and DNS

hostnamectl set-hostname pta.corp.com

Update /etc/hosts to ensure bidirectional resolution for Vault, PVWA, and PTA.

3.2 SELinux Configuration

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0

PTA is not supported with SELinux in enforcing mode.

3.3 Time Synchronization

dnf install -y chrony
systemctl enable --now chronyd

Time skew greater than five minutes causes authentication failures.

3.4 Required Packages

dnf update -y

dnf install -y unzip tar net-tools bind-utils curl telnet rsyslog \
policycoreutils-python-utils iptables-nft-services tmpwatch sshpass libnsl

systemctl enable --now rsyslog

3.5 Firewall Configuration

systemctl disable --now firewalld

PTA manages iptables internally.

3.6 Reboot

reboot

4. PTA Installation

mkdir -p /opt/PTA
cd /opt/PTA

unzip PTA-Installer-Rls-v14.6.1.zip
chmod +x pta_installer.sh

./pta_installer.sh

Installation directories:

  • /opt/pta
  • /opt/tomcat

5. Certificate Trust Configuration

5.1 Import CA into OS Trust

cp domain.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

5.2 Import CA into Java Truststore

/opt/pta/infra/jvm/jre17/bin/keytool -import \
-alias pvwa-rootca \
-keystore /opt/pta/infra/jvm/jre17/lib/security/cacerts \
-file domain.crt \
-storepass changeit \
-noprompt

OS-level trust is not sufficient. PTA relies on Java truststore for outbound communication.

6. PTA Pre-Configuration Wizard

Run:

/opt/tomcat/prepwiz/run.sh

Provide the following critical inputs:

  • Vault IP: 10.0.20.201
  • Vault Port: 1858
  • securityModuleTrustedConnection: Yes
  • PVWA Address: pvwa.corp.com
  • PVWA Port: 443
  • Authorized Sources: Vault and PVWA IP addresses

Incorrect values here result in authentication failures and diagnostic errors.

7. Tomcat Keystore Alias Fix

After running prepwiz, update the Tomcat configuration:

sed -i 's|keystorePass=".*"|& keyAlias="1"|' /etc/opt/pta/tomcat/server.xml

Without this fix, the PTA service will not bind to port 8443.

8. Start and Validate Services

systemctl start appmgr

Verify Listening Ports

ss -tlnp | grep -E '8080|8443|11514'

Test PTA UI

curl -kI https://localhost:8443

Test PVWA API Connectivity

curl -sk -X POST https://pvwa.corp.com/PasswordVault/api/auth/CyberArk/Logon \
-H "Content-Type: application/json" \
-d '{"username":"Administrator","password":"<password>"}'

If this API call fails, PTA integration is not functioning.

9. Post-Installation Configuration

Access PTA UI:

https://<PTA-IP>:8443

Complete the following:

  • Change administrator password
  • Upload license
  • Configure AD connectivity (GC port 3269)
  • Validate PVWA connectivity
  • Configure SMTP and SIEM

10. Vault Syslog Integration

On Vault server, update:

dbparm.ini

Add:

SyslogServerIP=10.0.20.206
SyslogServerPort=11514
SyslogServerProtocol=UDP

Restart Vault service.

Without syslog integration, PTA will not receive audit data.

11. Hardening

sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd

12. Common Failure Scenarios

12.1 PTA UI Not Accessible on Port 8443

  • Cause: Keystore alias mismatch
  • Fix: Set keyAlias="1" in server.xml

12.2 P023 Diagnostic Failure

  • Cause: Double escaping disabled in PVWA
  • Fix: Enable via IIS appcmd

12.3 Authentication Failures (401 Errors)

  • Cause: Trusted connection disabled
  • Fix: Set securityModuleTrustedConnection to Yes

12.4 SSL Works via Curl but PTA Fails

  • Cause: Missing CA in Java truststore
  • Fix: Import certificate using keytool

13. Engineering Takeaways

Two practices determine whether this deployment succeeds or fails:

Configuration Discipline

  • Applying Vault and PVWA prerequisites correctly versus assuming defaults
  • Importing certificates into Java truststore rather than relying only on OS-level trust

Validation Approach

  • Verifying API connectivity manually instead of assuming success
  • Checking service ports explicitly instead of relying on service status
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)