sion

Oracle Fusion Middleware : Oracle Identity and Access Management Suite 10g/11gR1/11gR2PS1,PS2,PS3 : OIM | OAM,OAAM,OIF | OID, OVD, DIP | OUD/ ODSEE | Microsft AD | OpenLDAP | ADF | EBS R12 | OECMCCR4 | Business Intelleigence - Bi Publisher | Banking | Demo Applications | Core Java | SQL | PLSQL | Web services | Weblogic | Tomcat | JBoss | OHS | WebGate | WebCenter | In any Queries please Contact Me : info@oratechsoft.com

Search This Blog

Saturday, 2 August 2025

CyberArk: Windows Authentication in PVWA

When CyberArk Vault is deployed in a Windows environment, Windows Authentication enables seamless access to the Password Vault Web Access (PVWA) interface. Users already authenticated to the Windows domain are automatically logged in to PVWA without needing to enter their credentials again.

Phase 1: Enable Windows Authentication in Classic PVWA Interface

Step 1: Log in to PVWA

  • Use the predefined Administrator account to log into the PVWA interface.

Step 2: Open System Configuration

  • Navigate to the ADMINISTRATION section.

  • Open the System Configuration page.

  • Click on Options to access the system configuration editor.

Step 3: Enable the Windows Authentication Method

  • Expand the Authentication Methods section.

  • Select windows from the list of supported authentication methods.

  • Set the Enabled property to Yes.

Step 4: Save the Configuration

Choose one of the following:

  • Click Apply to save and apply the changes immediately.

  • Click Save to save the changes and apply them after the duration defined in the RefreshPeriod parameter.

Phase 2: Enable Windows Authentication in PVWA V10 Interface

Note: This method is supported from CyberArk version 9.8 and above.

Step 1: Open IIS Configuration File

  • Open applicationHost.config located in:

%WinDir%\System32\Inetsrv\Config\applicationHost.config

  • Use Notepad (not Notepad++) with administrative privileges.

Step 2: Add Windows Authentication Configuration

At the end of the configuration file, add the following block:


<location path="Default Web Site/PasswordVault/api/auth/windows/logon">
  <system.webServer>
    <security>
      <authentication>
        <windowsAuthentication enabled="true" />
      </authentication>
    </security>
  </system.webServer>
</location>

Step 3: Restart IIS

  • Open a Command Prompt as Administrator.

  • Run the following command:

iisreset

This restarts the IIS server and applies the updated configuration.

Phase 3: Test Windows Authentication in PVWA

  1. Open the PVWA in a browser.

  2. From the list of available authentication methods, select Windows.

  3. If configured correctly, PVWA will automatically authenticate you using your current Windows session without prompting for credentials.


Screenshots for your reference: 

1. Enable the Windows Authentication via PVWA 

2. Configure the windows authentication on ApplicationHost.config 

Using Notepad (not Notepad++), open the IIS configuration file. By default, this is %WinDir%\System32\Inetsrv\Config\applicationHost.config. 
 
2) At the end of the file, add the following lines: 
******************** 
<location path="Default Web Site/PasswordVault/api/auth/windows/logon"> 
<system.webServer> 
<security> 
<authentication> 
<windowsAuthentication enabled="true" /> 
</authentication> 
</security> 
</system.webServer> 
</location> 
******************** 
 



3) Perform an IISRESET. 
 


3. Enable the Windows Authentication for User/group. 




4. Update the Internet option to enable user windows logon with current username and password. 



After doing this Windows Authentication should be working as expected through the new UI.

 
https://cyberarkpam.corp.com/PasswordVault/v10/logon/windows



Happy learning!!



Posted by at No comments:

CyberArk: CA Certificate Request & install on Vault Server

Purpose: CA Certificate Request & install on Vault Server

The CACert utility is used to manage and prepare SSL certificates for the CyberArk Vault server. These certificates establish secure channels for Vault communications, allowing secure authentication of clients and third-party systems. The utility helps generate certificate signing requests (CSR), import and install certificates, view or verify certificate details, and manage trusted certificate authorities (CAs).

Phase 1: Pre-requisites and Planning

  • Ensure Vault is already installed and configured.

  • Certificate requirements must align with your organizational policies and CyberArk prerequisites.

  • You must have access to a Certificate Authority (CA) to sign CSR files or an externally generated PFX certificate (if importing).

  • Know the hostname and IP details for use in the Subject Alternative Name (SAN) field.

Phase 2: Create the Vault SSL Certificate

Option A: Generate a CSR and Install a Signed Certificate

Step 1: Generate Certificate Signing Request (CSR)

  1. Navigate to the Vault server installation folder (default: C:\Program Files (x86)\PrivateArk\Server).

  2. Open Command Prompt as Administrator.

  3. Run the following command:

CACert.exe request

You will be prompted for:

  • Request output file path and name

  • Private key output file path and name

  • Common Name (Vault hostname)

  • Subject Alternative Names (e.g., DNS:vault.company.com, IP:10.0.0.1)

Step 2: Sign the CSR with Your Organization's CA

  • Submit the generated CSR to your organizational CA.

  • Ensure the returned certificate and its chain are in Base-64 format.

Step 3: Install the Signed Certificate

  1. Transfer the signed certificate and certificate chain to the Vault server.

  2. Back up the existing private key, as defined in the ServerPrivateKey field in DBParm.ini.

  3. Replace the current private key with the new one if needed.

  4. Run the following command to install the certificate:

CACert.exe install

Specify the full path to the new certificate file.

  1. Restart the Vault service.

Option B: Import an Existing Certificate (.pfx)

  1. Transfer the .pfx certificate file and its chain to the Vault server.

  2. Back up the current private key (from DBParm.ini).

  3. Navigate to the Vault installation folder.

  4. Open Command Prompt as Administrator.

  5. Run the following command:

CACert.exe import

Specify the full path of the .pfx file when prompted.

  1. Restart the Vault service.

Phase 3: Certificate Verification

View Installed Certificate

  1. Go to C:\Program Files (x86)\PrivateArk\Server\Conf.

  2. Open DBParm.ini and locate the ServerCertificateFile entry.

  3. Copy that file and rename it to .cer format (e.g., server.cer).

  4. Double-click to view it or use certificate tools like Crypto Shell Extensions.

Verify TLS Certificate and Chain

  1. Open Command Prompt as Administrator.

  2. Navigate to the Vault installation folder.

  3. Run:

CACert.exe verify

This verifies the installed Vault server certificate and its full trust chain.

Phase 4: CA Certificate Store Management (Optional)

You can manage trusted CA certificates for Vault clients using the following command:

CACert.exe setCA

Options include:

  • /certstore to specify which certificate store to use

  • /list to list current CA certs

  • /add and /remove to manage cert files



Screenshots for your Reference:

1. How to request the CSR using CACert.exe 




Note: share the vault.csr certificate the CA Team and Get the certificates from them ( server, chain, caroot ) 

2. How to Install the vault.cer using CACert.exe




Happy learning!!





Posted by at No comments:

CyberArk : Cyberark PAM integration with PKI Authentication.

Phase 1: Overview & Purpose

Public Key Infrastructure (PKI) allows CyberArk PVWA to authenticate users based on client certificates issued by a trusted Certificate Authority (CA). During login, a secure SSL/TLS handshake ensures:

  • The client presents a valid certificate.

  • The server verifies the certificate’s trust chain and details (Subject/UPN).

  • Optional: Multi-factor support (certificate + password).

Phase 2: Prerequisites

2.1 Vault & PVWA Environment

  • CyberArk Vault and PVWA must be fully installed and accessible.

  • PVWA must be HTTPS-enabled with a CA-signed SSL certificate (not self-signed).

  • Vault must also be TLS-enabled with trusted CA certs.

2.2 LDAP/S Integration (Recommended)

  • LDAP integration must be configured.

  • Vault users must be:

    • Mapped to LDAP users.

    • AuthMethod set to PKI or PKIPN as appropriate.

2.3 Client Certificate Requirements

Each end-user certificate must:

  • Be issued by the same trusted CA configured in PVWA.

  • Include the UPN or sAMAccountName in:

    • Subject or SAN (Subject Alternative Name).

  • Contain the full chain (Root + Intermediates).

  • Be present in the user’s Personal Certificate Store (certmgr.msc > Personal > Certificates).

2.4 Server Certificate Trust Setup

On each PVWA server:

  • Import the Root CA and Intermediate CA certificates into:

    • Trusted Root Certification Authorities

    • Intermediate Certification Authorities (Local Computer store)

Phase 3: PVWA Configuration Steps

3.1 IIS Setup for SSL + Client Certificates

  • Open IIS ManagerDefault Web Site > Bindings.

  • Bind HTTPS to port 443 using the PVWA SSL certificate.

  • In PasswordVault > SSL Settings:

    • Check Require SSL

    • Set Client Certificates to Accept (testing) or Require (production)

3.2 Enable PKI / PKIPN in PVWA UI

  • Log in to PVWA as an Admin.

  • Go to: Administration > Authentication Methods

  • Enable:

    • PKI (Distinguished Name matching)

    • PKIPN (UPN matching from certificate)

3.3 Configure LDAP for PKIPN

In PVWA Admin UI:

  • Go to: Administration > LDAP Integration

  • Under the appropriate profile (e.g., Microsoft AD):

    • Set UserLogonName = userPrincipalName

    • Under LDAP User Mapping, ensure Vault users can be matched by UPN

In web.config under <appSettings>:

<add key="UsePKIPNAlternateUserName" value="yes"/>

🔹 Phase 4: Advanced Configuration (Optional but Recommended)

4.1 Enable Extended Certificate Validation

  • In PVWA UI: Administration > Configuration Options > General

  • Set ValidatePKICertificate = Yes

Conditions required for validation:

  • No Elliptic Curve keys

  • Client cert includes Client Authentication in Extended Key Usage

  • CA has CA=True in Basic Constraints

  • No SHA1/MD5 used in signature

  • Cert is not self-signed

4.2 Configure web.config for PKI/PKIPN

Location: C:\inetpub\wwwroot\PasswordVault\web.config

For PKI:
No changes needed in the handler if already using:

xml

<add name="PKIAuth" type="CyberArk.Authentication.PKIAuthentication, CyberArk.Authentication.PKI" preCondition="managedHandler"/>

For PKIPN:
Replace with:

xml

<add name="PKIAuth" type="CyberArk.Authentication.PKIPNAuthentication, CyberArk.Authentication.PKIPN" preCondition="managedHandler"/>

 Also, copy CyberArk.Authentication.PKIPN.dll into:
C:\inetpub\wwwroot\PasswordVault\bin

4.3 Validate Certificate Issuer (Restrict Allowed CA)

In web.config under <appSettings>:

xml

<add key="PKIAuthorizedIssuer" value="CN=Your-CA-Name, DC=domain, DC=com" />

Use either:

  • Full Distinguished Name (DN), or

  • Simple Common Name (CN)

Examples:

xml

<add key="PKIAuthorizedIssuer" value="CN=corp-DC01-CA, DC=corp, DC=com" />
<add key="PKIAuthorizedIssuer" value="corp-DC01-CA" />

Phase 5: Testing & Validation

5.1 Test Login via PVWA

  • URL: https://pvwa.domain.com/PasswordVault

  • Attach Smart Card or ensure client cert is installed.

  • Browser behavior:

    • Either auto-authenticates the user

    • Or prompts user to select a valid certificate

5.2 Troubleshooting

If login fails:

  •  Check certificate trust chain

  • Verify UPN/DN matches Vault user

  • Confirm AuthMethod = PKI or PKIPN

  • Ensure IIS client cert mode is correct

  • Use supported browsers (Chrome, Edge, IE)

  • Review logs:

    • C:\inetpub\wwwroot\PasswordVault\Logs


Step by step screenshots for your reference:
--------------------------------------------

1. Vault Configured with CA Certificate 





2. Update the Domain Issuer details in the Webcomic file. 



3. update the applicationHost.config

Location: %WinDir%\System32\Inetsrv\Config\applicationHost.config.



4. Import the user (Username) certificate on PVWA and Client Machine (Testing Machine) 



5. Verify the installed certificate is updated in Brower level. 



6. Update the PKI Enable on PVWA Configuration Console

A. General Level 



B. Authentication Level 




7. User Group Mapping with External Authentication Like PKI (On Top-up LDAP) 




8. Login user PVWA with PKI authentication Method









Happy learning!!






Posted by at No comments:

Monday, 28 July 2025

CyberArk: SQL plus launch using CyberArk PAM 14.4

Connect to Oracle SQLPlus via CyberArk PSM (Privileged Session Manager)

CyberArk PSM offers secure, isolated, and monitored access to Oracle databases using SQLPlus. This article explains how to configure CyberArk PSM to enable connections to Oracle databases using SQLPlus OIC 19c.

 Prerequisites

To connect to Oracle databases via SQLPlus:

  • Oracle Instant Client (OIC) 19c x64 is required

  • Recommended version: 19.18.0 or as per Oracle compatibility matrix

  • SQLPlus is typically installed automatically during PSM installation

 Installation and Configuration Workflow

TaskDescription
1️⃣ Install Oracle Database ToolsSQLPlus + Instant Client (auto-installed with PSM)
2️⃣ Configure AppLockerAllow SQLPlus to run on the PSM
3️⃣ Configure PSM Connection ComponentSetup connection path and settings in PVWA

Step 1: Verify Oracle SQLPlus Installation

No manual installation is needed — SQLPlus is automatically installed during the PSM setup.

  • Confirm SQLPlus is located at:

    makefile

    C:\oracle\instantclient\sqlplus.exe

Step 2: Configure AppLocker for Oracle SQLPlus

  1. Navigate to the AppLocker configuration file:

    java

    C:\Program Files (x86)\CyberArk\PSM\Hardening\PSMConfigureAppLocker.xml

  2. Remove Read-Only Attribute

    • Right-click the XML file → Properties → Uncheck "Read-only"

  3. Edit the XML:

    • Open PSMConfigureAppLocker.xml

    • Find the Oracle x64 connection clients section

    • Uncomment the Oracle section by removing the lines:

      xml

      <!-- If relevant, uncomment this part after installing Oracle client and Toad 16 x64.
...
End of oracle connections comment -->

  4. Verify Path Accuracy:
    Ensure the paths match where sqlplus.exe is installed.

  5. Save the XML file

  6. Apply the AppLocker Configuration:
    Open PowerShell as Administrator and run:

    powershell

    CD "C:\Program Files (x86)\CyberArk\PSM\Hardening"
./PSMConfigureAppLocker.ps1

Step 3: Configure SQLPlus Connection Component in PVWA

  1. Login to PVWA as an Admin.

  2. Go to:
    Administration → System Configuration → Options

  3. Expand:
    Connection Components → PSM-SQLPlus

  4. Verify Target Settings:

    • Ensure the path is set correctly for SQLPlus:

      css

      "C:\oracle\instantclient\sqlplus.exe" "{UserName}/{Password}@{Address}[:{Port}][/{Database}] [{ConnectAs}]"




Ref : Oracle SQL Developer | CyberArk Docs
Posted by at No comments:

CyberArk: SSMS20 launch using CyberArk PAM 14.4

 Connect SQL Server Management Studio to CyberArk PSM with Database Authentication

CyberArk Privileged Session Manager (PSM) provides secure and monitored access to sensitive systems, including Microsoft SQL Server. This article walks you through the complete step-by-step setup to enable SQL Server Management Studio (SSMS) connections to SQL databases via CyberArk PSM, using local database authentication.

What You'll Achieve

You’ll configure:

  • SSMS as a PSM connection client

  • AppLocker policies to permit SSMS

  • PVWA connection component with proper parameters

  • Account and security settings for database access

 Prerequisites

Before you begin:

  • PSM must be installed and operational

  • CyberArk PVWA is accessible

  • SSMS installer is downloaded from Microsoft

  • Local database account with permissions is created

Step-by-Step Configuration

 Step 1: Import SQL Server Connection Component

  1. Go to the CyberArk Marketplace.

  2. Download the connection component:
    SQL Server Management Studio with Database Authentication.

  3. Copy files from:

    java

    C:\Program Files (x86)\CyberArk\PSM\Components\Connectors\PSM-SSMSConnetor

    To:

    java

    C:\Program Files (x86)\CyberArk\PSM\Components

Step 2: Install SSMS on the PSM Server

  1. Download SQL Server Management Studio (SSMS) from the Microsoft website.

  2. Install it at:

    pgsql

    C:\Program Files (x86)\Microsoft SQL Server Management Studio 20\Common7\IDE\Ssms.exe

 Step 3: Configure AppLocker for SSMS

  1. Navigate to the PSM Hardening folder:

    java

    C:\Program Files (x86)\CyberArk\PSM\Hardening

  2. Remove read-only attribute from PSMConfigureAppLocker.xml.

  3. Edit PSMConfigureAppLocker.xml:

    xml

    <Application Name="SSMS20" Type="Exe" Path="C:\Program Files (x86)\Microsoft SQL Server Management Studio 20\Common7\IDE\Ssms.exe" Method="Publisher" />

  4. Save and close the file.

  5. Apply AppLocker policy:

    powershell

    CD "C:\Program Files (x86)\CyberArk\PSM\Hardening"
./PSMConfigureAppLocker.ps1

Step 4: Configure Account Settings in PVWA

While onboarding the target database account, define:

ParameterValue
UsernameLocal database user (e.g., sa)
AddressHostname/IP or FQDN of the SQL server

Step 5: Configure Connection Component Settings

In PVWA → Connection Components, configure:

🔸 Target Settings

ParameterDescriptionDefault
ClientInstallationPathPath to ssms.exeC:\Program Files (x86)\Microsoft SQL Server Management Studio 20\Common7\IDE\Ssms.exe
WindowLoadTimeoutTime to load Connect window (in sec)500
CmdLineParmsHideTimeoutCmd parameter hide delay (ms)20000
ClientErrorTimeoutWait time for error (sec)30
ApplicationStartTimeoutApp launch timeout (ms)500000
TimeoutWait for app window (ms)8000
SSMSErrorMessageDisplayDurationDisplay error pop-up duration (ms)30000
MainWindowTitle(Optional) App main window title-
MainWindowClass(Optional) App main window class-

🔸 Encryption Settings

ParameterDescriptionDefault
EncryptionEnforce encrypted connectionMandatory
TrustServerCertTrust self-signed SQL certNo
HostNameInCertificateSQL server hostname (required if TrustServerCert = No)FQDN

🔸 Optional

ParameterPurpose
AllowMappingLocalDrivesAllow drive mapping during session


Happy Learning !!
Posted by at No comments:
Subscribe to: Comments (Atom)