CyberArk Full Course - CyberArk Tutorial For Beginners | SecApps Learning

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] uh double click on the your vmware workstation setup and it's a very simple installation you just need to click on next okay it's i think it's taking some time to initialize okay so you just need to click on next accept the license then next and you key you can just keep the default setting as it is if you want this uh so you can just uh let it be checked in but i don't want so i'll uncheck these so just click on next okay next install so it will take some time i think one or two minutes let's wait okay i think our workstation has been installed and they are also like other uh virtual machines you can build on like we have the oracle and the vmware workstation so they are different kind of uh workstation you can install so it's very easy like vmware workstation is easy so that's why i've installed this virtual workstation so okay so our download installation part is complete so you need to specify the license key otherwise it will keep on asking when you will just click on finish it will keep you keep on asking like you need to provide the license key and it wouldn't be it wouldn't allow you to install the windows server so just click on the license so i'll have i'll have the keys and i'll providing these keys in the description box so you can just copy and go to the license and just click enter okay so your installation part is complete just click on finish okay as you can see this is the icon of vmware workstation just double click on this okay so this is the interface of the vmware workstation so as you can see these are the options you can just click on to create a new virtual machine on and open a virtual machine connect to a remote server and there are lots of option so i'll be explaining these options in a different video i'll try to make a specific video on the vmware workstation only so let's start with the windows server installation part so you just need to click on the create a new virtual machine and leave the setting as it is the default setting then click on next okay so it will ask you uh where you have just downloaded your windows server ios iso image so you just need to browse just click on the browse and go to the so as you can see this is the image and you can see the style the size of this image is approx 4gb okay so you just need to select this open click on next okay so it's asking about the product key so if you will not provide the product key so it will keep you asking about the activation process so i have the key so let me provide that key okay and again i'll provide this key in the description box so you can just copy paste from there okay and full name you can change the full name anything so i'll put seconds learning okay and you can also select the data center from there so i'll keep the r2 data center as it is just click on next okay so your virtual machine name so again i'll put the secaps learning okay and this is the path like where your virtual machine will be installed the setup file and the all the configuration so if you want you can just change or let it be so i'll keep as it is so click on next and okay so as you can see the disk size the recommended disk size for the windows server 12 is 60 gb so you can change also because it's a virtual machine you can change it too so i'll change it to 20 gb because we need to install the cyber component so we will require at least 20 gb of space okay so here you can just click on the store virtual disk as a single file so it means like your virtual machine setups will be installed in a single folder if you will select the multiple files so there will be a separate folder on your system so so i don't want to get confused so i'm selecting this option so you can select multiple also it doesn't make any difference so just click on next okay so this is the main part of the your setting up your windows server virtual so just click on the customize hardware as you can see there is already 2gb of memory allocated to this server so if you want you can just change this to 1gb but i'll keep at as it is the 2gb because otherwise your windows server will be also too slow to respond and the processor will be 1 gb and the rest of configuration except for the network adapter so i'll select the vm custom and the vm net 0. so it means like because we need to provide this static ip to our to our uh server so that's why i'll select the custom one uh because what happens like if you will not select this and when you will provide the ip to your windows server uh which i'll be showing you after this so what will happen it will pick your system ip as you can see my system is connected to wi-fi so it will pick that ip because it it is a dhcp dynamic allocation of ip where the ips allocated automatically but we want the static ip so we will select this option okay and just click on close and finish okay your installation of windows server is started so let's wait for some time because it will take some time i think five to ten minutes because it will download uh the configuration file and the other details okay and let's wait for some time okay and one more thing like this is my first video and if i am like explaining if i'm going too fast you can just comment below and so i'll i'll be explaining more about the topic okay so let's wait for some time the installation part is already started and the same like when the window server is built on a physical so it's the same thing in the phys in the production environment we have a licensed version which is provided by the microsoft so the only difference is like the we don't have the license one it's it's a temporary license so it will not work in the production okay so it's taking some time let's skip this part okay so the installation part is about to complete so it will start restart automatically so let's wait so if you want to go to the full screen then just click on this so it will be a full screen and if you want to like minimize then just click on that again okay the windows server is almost completed installation part is almost completed okay let me pause again let me skip this i think it's taking more time okay so windows server installation part is completed so if you want to install this kms so you just need to click on the begin install but i don't want to install it so i'm just clicking clicking on exit okay as you can see our windows server installation part is completed and okay so this is a vmware tool setup so it it's basically provided by the vmware workstation only so its main task is just to enable the copy paste option like if you want to copy something from your desktop or from anywhere to this server you need to install this vmware tool setup so just click on click on yes so it will restart and [Music] your vmware tools will be installed so you can just copy paste anything on this machine okay i think again it will take some time okay so it's installed so if you want to copy something on this you can just copy paste okay so this is the server manager so when you install a windows server so you will find the this is the server manager from here you you from where you can manage your server so there are different settings so i'll be telling i'll be explaining about the basics only so as you can see work group so because we are installing a cyber rack vault so that should be part of the workgroup only workgroup means like it's a dedicated machine so it's not in domain domain means like it's not in the active directory so i'll i'll be explaining these all things like uh later later on in different videos so i'll try to make the videos on a specific topic so where i'll be explaining all these things so for the vault installation cyber arc world installation the server should be in work group and then you can just click on the remote desktop and click on allow remote connection and uncheck this okay and okay so before like defining the ip address so i'll walk you through about the windows server so you can feel like how the windows server the because there is nothing on this server so you can see the services and other things so as you can see so when you will install a license version so you will see the windows server 2012 r2 so if the windows server is not licensed so you can there will be a mark watermark kind of thing like activate your server okay so let's go to these services first check about this services dot as you can see these are the inbuilt services used by the windows server one more thing like when we will install the cyber arc and after the after completing the installation part the machine will be hardened automatically so after hardening the machine most of the service services from here will be removed due to a security reason security reason okay so let's define the ip address and the basic requirement for installing a vault so just go to okay forgot that command sorry for that let me go to we can also define the ip address from here just click on okay as you can see these are the items installed for this windows server so for installing a cyber arc vault we won't require all these so we i'll uncheck this okay so these only these two ipv6 and ipv5 ipv4 are allowed so for installing the vault in the production you should uninstall all these except these two ipv6 and ipv4 so i am just unchecking except the ipv4 and ipv6 so we need to define the static ip so just click on the ipv4 go to properties then click on use the following ip address so you can define anything any ip you can define over here i'll define [Music] okay so in production environment if you have any default gateway you can just define here but in virtual lab i don't have show let it be so just click on ok close open the command prompt and see if you are able to ping that ip okay i am able to ping that ip which means like i p configuration has been done successfully okay then what it's asking about okay so what i'll do i'll just copy paste the setups okay i'll i'll provide the link from where you can download the setups because it's there is a cyber sfv secure file exchange from where you can download the setups and other utility utilities of cybera but you won't be able to access the cyberduck sfv because it's only allowed to the cd like who have done the certification defender plus entry and then a cde so then only they get the access to that cyber sfv exchange server but if you are if your company is partnered with the cyber ark so you can just drop a mail to the cyber asking for the read-only access to that link so i'll show you how you can just go to that link just search for the cyberdog sfv then go to the support.cyberarcsfv.com so it will first of all it will show access denied then just click on and remove the slash so as you can see this is the login [Music] part four like you can download using your domain id using your company id to the sfv and then you can just download the setup file so i've already downloaded the setup file and one more thing like if you want like if if you want the setup file so you can just comment below i i'll mail you the setup file so that you can just install on your system okay so [Music] okay one more thing like we have installed this windows server so i haven't reset the password of inbuilt user okay so you can just go to the local users and computer so this is the inbuilt users of this windows server so you can just click on the administrator set password proceed so you can just specify the password so it should be strong enough otherwise it will not accept okay so password has been set up so i'll do one thing i'll create one more user in case like if i forgot the password of the administrator so i won't be able to access my machine so i'll put my name itself [Music] glassware okay and i'll keep password never expire create as you can see one user is created locally on this windows server so i'll make this user a part of administrator group so you can just go to the you can double click or you can just go to the properties then go to member off add advanced then you can search for so this is the group inbuilt group administrator i'll just select this okay apply so this user will be part of the administrator group so if if like sometime it happens like i forgot the password of this user so i won't be able to log in so i should have one backup user so i i created just one okay so let's start with the installation and one more thing like i have created i'll i have started creating the sop where i have just uh just a second okay sorry for that uh i have started creating the documents uh related to installation with the screenshot so i'll try to complete those and will share with you all so you can comment below with your email id and also don't forget to subscribe like comment uh okay so let's start with the installation part so i've just downloaded the uh server the cyberdog server then the private client and the demo master keys and operator keys so basic requirement for installing uh cyber rock vault is like you nee you should have the master keys so i will show you what are there in the master keys so these are the things the important like the recovery private key because like uh in a disaster scenario we will require this key this key is basically used for logging the master user so master user can not log in it's a inbuilt user of cyber arc so master user cannot login to the cyber rock world so we will need this key to login to master user and it's only using disaster scenario so i'll be making a different video on that topic also so let's start with the installation part and the basic installation requirements are like the if you are installing a small implementation where you have only have the thousand accounts so you can just use the 8 gb ram and the dvd rom these all these are for the physical machine so i'll provide a link from where from there you can just uh you can just go to that link and can see the basic requirements and that that is basically for a physical server only not for a virtual machine because it's uh recommended by cyber rock to install the physical uh install a cyber arc vault on a dedicated machine only on a physical server only okay so let's extract all these files so you will find all these setup in a from there exchange from the cyber sfv exchange so let me just okay so i'll remove [Music] okay so this is a test license so if you want i can share the test license with me so you can comment below if you want this license because without license you won't be able to install the cyber arc world okay so to start with the installation part you just need to go to the server and just click on the setup and run as administrator why we are doing a run as administrator because like in the middle of installation so it will require some elevated privilege to install something on the hard drive so that's why we we need to run all the setup run as administrator so if admin privileges are required so it can just use those privilege to install the file okay so just click on run as administrator yes so it will install the microsoft visual when you will install the when you will click on the setup file so it will automatically start installing the prerequisites like the prerequisites uh like microsoft visual c plus plus then the dotnet frame and if you are installing the cyber arc vault on a windows 2012 r2 then you need to just install one update kb something so i'll be sharing that also okay so let's start with the installation part just click on next okay yes so you can provide anything here so if you are installing the cyber rock vault on a on a production then you can just specify the name provided by the client so i'll just provide success learning okay just click on next okay so these are two types of uh cyber arc vault so first one is stand alone standalone vault and second one is cluster node or you can say h a so what does that mean so standalone means like this there will be a single server single server with all the information all the accounts details will be stored but in cluster node there will be two servers and one will be on active no active mode and other will be on passive mode so what will happen like if the one of the active server goes down then the passive node will come up so that's why uh we install hj so but right now like we will be installing this standalone only so i'll just select this standalone because for the ha we will require the database we will require the quantum desk and the send drive so i'll be uh making a different video on ha also so let's start with the standalone world installation just click on standalone world okay so if you want to change the location just click on browse if you if you don't want then let it be just click on next and again if you want to change the location i don't want to change so clicking on next okay so now it's asking for the license so just click on browse okay so basically when we install this cyber arc world so there should be a dvd drive because in a production environment cyber ark support does provide a master cd a physical cd also so you can just mount that cd to your physical server and from there you can just uh map the master cd where the recovery key and other keys are stored so we don't have a dvd drive so i'll just click on the cancel and you can just go to that path where you have just stored your license so i'll click on the license okay next okay so now we need to provide the operator cd path again click on cancel go to operator cd okay next okay so this is basically for a remote control uh agent like we can we can operate the cyber rock vault using a remote control agent so we need to provide the ip address where the remote control agent is installed and the password so right now we don't have but i'll be doing it later also we can do it later also by just uh making the configuration in db palm file so i'll be explaining that also in a separate video so as of now i'll just skip the remote control agent configuration next okay so this is for the distributed vault so like cyberduck has come up with a new uh cyber arc uh sorry cyborg vault uh where we have the master vault and the distributed vault and master vault act as a load balancer and we have the satellite world so uh in in that scenario when you will access your account so if the request goes to the master vote then it distribute that request to the distributed vault or you or you can say the satellite vault so it acts as a load balancer so we don't want to install the distributed vault basically it's used for the different location like we have the different vendors in different location in india or germany or u.s in that case we can use the distributed vault in india we won't find this distributed vault concept because in india we for most of the cyber arc project we prefer h a or the standard standalone world okay i'm just clicking on next okay so this is the important part so if you do not want to harden this machine you can just click on this but in the production like when you are installing the wall in production you need to click on the next because you need to harden your machine because to secure your server so you need to harden your machine where you where the services the unnecessary services the ports will be blocked and you won't be able to access the vault uh like rdp will be blocked you won't be able to access the vault directly so for uh installing the vault in the production environment the cyber rock recommend like you need to install uh one server and from there you can take the rdp session to the physical server to the cyberdog production world and then you can start the process so that when the installation part is completed the ip address of that server will be mapped mapped to the dbpom file and the rdpv will be allowed for that particular server only so we we are as we are installing the installing in the lab so i am just installing the cyber art world directly so i'll just click on the next and leave it the default setting as it is next okay so it's hardening now so what it will do it will harden your machine and most of the services and the ports will be blocked only one eight five eight port will be allowed which is the patent which is the port patent by the cyber so it will be allowed for the internal and outbound uh communication from wall to the cyber components so i'm just keeping my video as it will take some time to harden the machine okay hardening is completed now it's installing wall database another files so let's wait for i think it will take approx two to five minutes and i'll try to make the practical videos only because you can find the theory on the cyber arc main website or you can just google it so you will find lots of theory session and the documents from there so i'll try to make the basic you should know to start your career in cyber art okay so let's enter the master password so this is the important step because in the production if you forgot this password you need to pay to the cyber rock support to get the password or or resetting the password okay so in virtual lab we can just provide anything so let me provide the same password for the master user and the administrator user so these are the inbuilt user and they have the privileges to install anything and and to make the changes on the cyber art code so just click on next okay so it's great creating the saves and the inbuilt users so let's wait okay so our installation part is completed so i will not restart now because i need to install the private our client as well as so just click on no finish so our vault installation is completed so go to client so this is the private client so it's basically used for accessing the cyberduck vault you can operate the cyber arc world from this client so we need to install this client so again you just click on the setup run as administrator installation part is very easy but like we uh the tough part is like making the post configuration like related to cpm pvw psm which i'll be explaining in separate videos so just click on next let it be default next okay so if you want to specify the vault configuration just click on ok so the name server name if you want so you can specify anything the address address of your cyberact world which we have provided in in starting and the default username so i'll be using the inbuilt administrator only so just providing that okay so it's basically basically for the proxy so if you want to access your cyber arc using like idrac or something like that so you can just provide the proxy so it will use the internet and the 443 port for that we need to open the port from cyber arc volt because after hardening it will block each and every port except 185 feet so okay so we can just restart now okay so let's see how much time it will take i think okay so it started as you can see earlier we were not getting anything so as you can see this means the your machine is hardened so just click on this option as you can see this is the warning size this is the warning which means your machine is hardened only the allowed user can access this machine click on ok and administrator so remember that password like which you have set earlier after building up your server so let's okay so we are good to as this means your machine is hardened and okay it will automatically open when you will restart your machine so i'll just and just check this so it doesn't open after restarting the machine okay so this is your vault server as you can see the server 12.0 is up i have installed the cyber rock vault 12 version because uh we will be upgrading this in to 12.1 which is the latest one in another videos so that's why i have installed this 12.0 so let me show you one thing so this is the private app client and you can access the cyber rock vault from there here itself so let me just so like sometime what happens your name goes just a minute okay sorry for that sorry for the interruption so okay so this is the private our client so using this client you can just access the cyber arc world so what happens like sometimes what happens the icon is automatically removed so you can just create one go to file click click on new server server name secaps learning you can provide anything in server name but the address should be same as okay administrator click on ok ok so this is the icon you can just double click on it and if you want to change the authentication method like again i'll be making a different video on the authentication methods because uh i don't want this video to be very long so that's why i'll try to make the separate videos on a single topic as you can see these are the different authentication methods so you can use the different authentication method to login to the cyber arc to this private outline so the for these cyber dog users you need to select the private arc authentication only so just click on ok ok administrator so this is the inbuilt user of the administrator this is not the local user the local server user is different and this is the cyber dock administrator so you need need to provide the password of the cyber administrator only so just provide the password which we have provided while installing the cyber art world okay so as you can see this is the inbuilt safe default safes which are installed when you install the cyber arc world so these are the default ones so vault internal where the internal configuration of cyber are kept and system does have the license file and other uh cyber ark configuration and the notification engine is is the uh you is used by the cyber ark notification engine service so every safe and every user do have segregation like segregation of duties okay so let me just close this say these save okay so this is the interface while after you install the cyber rock world you will see these three safe which means your installation is completed successfully without any error so if you do not see any any of the safes which means something is missing so you can just reinstall you can just click on the setup again and it will ask you for the repair or remove so if you if you can also repair or if you want to completely remove the setup you can just click on the remove and then you can reinstall the cyber app world okay okay so i'm just logging off here and i'll show you these services of the cyber arc as you can see this is the service cyber event notification engine so this service is basically used to send the notification notification emails to the supervisor or you can say owners of the accounts and harden windows firewall what cyberdog does so this is the inbuilt service of the windows server so after the hardening of the server it will automatically rename the service so as you can see it's renamed to cyberlock hardened hardened windows firewall okay so and third service is the cyber logic container so it's a container it does contain contain the master policies related to psm pvw cpm so it's an important service if it it's stopped so you won't be able to access pvwa psm cpm so they will stop functioning okay so these are the three services and we have also another services like private arc database is also one of the important service if you will stop this service your cyber arc vault will stop because it's the dependency of the windows oh sorry of cyber arc world you can say and this remote control agent when we will when we were installing the cyber arc world we just skipped that remote control agent part so this is the only thing like when we will start this service we will just make the changes in the cyberact vault configuration file and the ip address where the remote control agent is installed then we can access the cyberact vault using the remote control agent like sometimes what happens you are not able to access the cyber arc world using the rdp or using from any of the external application like idrac then in that case we can operate the cylinder arc world using the remote control agent so click on create a new virtual machine next and the path like where you have installed the windows server iso image so i have already shared that information in my last video you can just watch that video click on next and you need to provide the your windows product key which again i'll be sharing in this video so let me find the key okay so okay so this is the key like using this key you can activate your server just provide that and you can change the name if you want so i'll change this to seconds learning and the password you can just provide the password anything but it should be strong enough because it will not allow then it will show error message click on next your virtual machine name so i'll provide pvwa then click on next again it will ask for the disk size so i'll just provide 20 gb okay and the store virtual disk as a single file and then next customize hardware i'll provide the 2gb only then custom vnet 0 so that it will not pick my wi-fi ip address because we need to provide the static ip okay so rest information will remain as it is close finish it will take some time to build your windows server so i i will skip this part otherwise the video will be too long again so let me pause this so our windows server is about to install so it's getting restarted so let's wait for the installation part to complete and one more thing like pvwa then cpm then psm these are all cybera components and all three can be installed on a single machine also so which i'll be showing later on so today we will be only discussing and we will be only learning about the pvwa password vault web access let's wait i think it's getting ready and like about the pvwa previous requisites like i have already provided the link in the in this videos description so you can just explore more about the prerequisites like about the prerequisites for pvwa is internet information service should be installed and then the dotnet framework 4.8 and a certificate like we will need ssl certificate to host the pvw url so using that url url only we will be accessing the cyber arc vault let's discuss in after this installation is completed again it's taking time let me pause for otherwise the video will be in too long okay our server is installation part is completed so whenever like you are building up a cyber arc component or when you are installing a cyber rack vault or pvw you need to first build a windows server only then you can just install their setups so let me define first let me define the ip and like earlier we have defined the 10 series like 10.1.1.1 for the cyberac vault so we will be defining the same series for this so just go to the local server or just using the command and so here you need to just specify the static ip click on ipv4 properties use the following then specify sorry when you will hit the tab option i after providing providing the ip address then it will automatically pick the subnet mask or you can provide manuals okay just click on oh sorry sorry sorry actually we have provided this ip to our cyber rock wall so same ip we cannot provide so i will change it to two just click on ok close okay so let's ping this ip yes we are able to ping this ip and again let's see if we are able to ping the cyber arc vault ip or not yes we are able to ping so it's fine now we nee we can install the okay so first we need to install this vmware tools so that the copy paste options are again enabled so before that like we we need to install the pvw so let's go to so this is the link from here you can just install the dotnet framework 4.8 so i'll provide this link in the in the description so you can just go to that link and you can just download so i have already downloaded so let me get that information and the setups like again if you want to download the setups you need to visit to the cyber arc sfv which is a secure file exchange server of the cyber art where all the setups of cyber arc and its components are there but you can just log into that server if only your companies partner with the cyber ark so you will get the login access using your company's domain id or if you have done the cd certified delivery engineer and you've if you have done this sentry and defend the certification along with the cd then only you will be you will be getting the access to the cyber sfv so if you want this setup i can just provide you the setup you can mail me so i'll share the setup with you all so let's i've already downloaded so let's let copy paste the pvwa okay so uh actually we have uh two version of pvwa so like when cyberdog brought this 12 version so uh later on there was some vulnerability on that pvw so they have just uh brought one more pvwa so we will start with the previous only like 12 version only so let me copy this and the dotnet framework as well as go to your machine okay okay you can just copy paste okay first let me this go to manage server manager properties then do not start this now copy paste that okay i have to again copy paste those things okay both the setups are copied so before like starting the password vault uh web installation we need to install the dotnet framework so let's start with the installation part i think it will need some internet access let's see if it's asking for the internet okay it's i think it's asking for the internet connection so let me how you can start the internet in your virtual machine just click on the pvwa or you can just click on the machine right click go to settings and you can see add button click on add network adapter because in that adapter you have already provided the ip static ip so it will not connect to the internet option so we need to add one more network adapter and just okay click on ok so you will see your virtual machine will be connected to internet in a file yes okay as you can see your internet machine is already connected to internet so so that these uh downloading and installation pro process get started because it's asking for some this kb kb4486105 it's a windows update so i think dotnet framework requires a windows update so that's why it's asking for the download so let's wait for the download process to completed meanwhile we will extract the pvwa file extract okay so meanwhile we will what we will do we will install uh one of the prerequisites which is is so let's go to the server manager and you can do uh using a script also like you can just install the prerequisites using a script also but like sometimes what happens this script is not working fine in the virtual machine or you need to make some changes in that file so that's why we are doing manually also so i i'll show you like how you can install the this uh prerequisites and other files using this script so you can just go to the setups and you can see the installation automation and these are the script you can make the changes while by editing and like what are the changes you want about the pvwa url and the hardening process etc so i don't want to start with the automatic installation because in that many time the script is not working fine so it will give many errors so avoid avoiding that so let's start with the manual process go to your server manager click on add roles and features let me go to full screen mode okay and okay so let's start again go to your server manager click on add roles and features click on next next again next and scroll down and select this web server is so it's like it will host your uh application like it it's a is you can say it's provided by windows server you can say it's a web server where your website will be hosted so that's why it's a one of the prerequisites of pvwa so pvwa is a web interface so we will require a web server where we can host the website so it's the that's why it's one of the prerequisites of pvw so just select the web server next and okay so [Music] select this asp.net 4.5 next okay so these are the uh important part and while installing the is so most of the features will be auto checked so you need to select more so just click on the http redirection scroll it down and then request monitor again scroll it down basic authentication then windows authentication scroll it down [Music] expand application development then select asp 3.5 4.5 okay scroll it down and then select all the is related features okay so we are done with the oh yes so let's start let's click on next uh what does it's showing do you need to specify alternate no we don't want so select this restart the destination so like it will automatically restarted when it's required so just okay so let's uh first wait uh for this installation installation dot net framework is installed otherwise like if the if it will get restarted in between so we will lose our dotnet framework installation so let's wait for some time like after the this installation is completed we will click on install so that our is web server will be completed oh it's completed great then click on finish so it will ask you for the restart now restart later so take the effect so we will do it later on so click on restart later now install the is click on install so let's wait for some time your is application will be installed uh meanwhile i'll explain about like what are the items there in the setup of pvwa okay as you can see hardening like when you are done with the installation of pvwa you need to harden your machine hardened hardening means like you need to harden your machine so that it it's accessible through like more many of the services will be removed and the unnecessary parts will be removed so that like it's more secure so you in a simple terms we can say then we have installation automation like using this uh these script you can just harden your machine you can install the prerequisites it's a powershell script so i'll be showing later on like because it will need more time like we need to make changes in the configuration file in the as you can see the xml file so that like uh our script won't fail so i'll be making a separate video where i'll be where we will be discussing about the automation like how we can automate the installation part then its prerequisites and other important uh things of pwa are there in this package so let's see if we are done with the is installation part okay i think it's taking time so like again i'm skipping this part so let me go to let me skip this part otherwise it will take more time again okay so it's getting uh restarted so let's see uh if we were able to install the is application or not so let's wait okay it's completed let's see if we were able to install the is application or not so just login with your password and one more thing like if you are facing any issue while installing or the is application or building up your server you can comment below i'll try to solve your query so let's see if you were able to access the is application or not go to server manager okay so we are not able to see any error here so so it means like we were able to install okay so it's pending so like when your machine gets restarted then you can just go to the server manager and you can see like the installation part is complete or not as we can see your installation succeeded so close now verify go to the search option search for is you can see internet information services click on that okay so this is your is server manager so let me verify it's the six or seven go to is okay so this is the one so here you need to specify the binding binding means like this is the web server where your pvw url pvwa web interface will be hosted so go to sites default website and here you can see the bindings click on bindings click on add and select https which means it's a secure http single http http means like website is not secured it doesn't have any ssl certificate so we will be using a self signed certificate like when you install the is and when you install a server a self signed certificate is created i'll show you this is the self signed certificate wmsvc select this and and you can see the ssl certificate like https will use 443 port and http will use 80 port so we will we will like cyber rock recommend like you should you should have ssl certificate for your pvw url so like it's a virtual machine so that's why we don't have any specific certificate for our pvwa in production you will get a certificate ssl certificate which is more secure and you can apply that certificate to your machine like in same way you need to apply like you need to install that certificate on your this server and then you can just you need to import that certificate to the personal of the certificate authority and then you can just you will see that certificate here a list of certificate and you can just select the certificate okay and close your ssl certificate will be applied to the is application so for after that like after you have applied the certificate you need to restart the is services so you how you can restart just open the command prompt or you can do with the powershell also but like your powershell should be run as administrator then type this command is reset your is service services will be reset so that it will apply the certificate which you have just binded to your web application okay so your is application has been restarted successfully now we will start with the pwa installation part so close this go to your okay before that like earlier we were we have enabled the network adapter so what we will do we will just remove that because we will need a static ip only so we will remove the extra network adapter click on that and just remove okay go to your setup files right click on setup run as administrator and again it will install the one of the like more prerequisites which is microsoft visual c plus plus so just click on install okay so you can see the login process has been restarted has been started so click on next accept the license agreement yes and again you can just specify anything here i'll specify my channel name [Music] click on next and again if you want to change this destination folder path you can just go to browse and you can change where you want to install your password world your pvwa setup files installation file sorry so i don't want to change so i'll i'll keep as it is so click on next again next and okay so these are the two options like first one is like you can access the uh password web using your machine your desktop and again like if you want to access the password world you can access using mobile which i'll be explaining in in a different video because it will require more configuration and more changes how you can access your pvw using your mobile phone so i'll uncheck this option click on next okay so this is the important part you need to select the authentication type so i'll select the cyber arc one of the default authentication just scroll it down select the ldap and if you want to select all you can select but i'll keep two only because later on we we we can just enable this these authentication method also but like before starting this video we need to enable the cyber arc authentication type and default authentication will be cyber arc only just click on next okay your installation part has been restarted let's see let's wait for some time the installation part is like it's not very tough like you need to just click on next and next and have to apply the like you need to apply the config you need to specify the configuration file like the vault ip address then the administrator password rest is like it's not so difficult like later on the configuration like post configuration how you are managing your account how you are changing the password of an account so those configuration are like a bit tough so we will specify the volt address ip of the voltage volt so let's see if our machine is this is our cyborg volt machine so let's see if it's okay so it's close so let me log into this machine otherwise we our pvw installation will fail so let me log into this machine and see if our cyber arc vault okay so it's already running okay so let me go to small okay our cyber arc vault is already running so go to pvwa okay okay so this is the important part like you need to change this as it will pick your host name your server host name i'll show you what is your server host name now you can just see using a command post so this is the host name the default host name of your host name you can say the name of your computer name of your server so when you install the pvwa it it already like it automatically picks up the your host name so change it to the ip address of pvwa which we have specified earlier because we don't have any dns like so that's why again i'll be explaining that in my later videos my which i'll be sharing later on so just specify the ip address and you can see the port will remain same as it is it's a cyber arc patent port click on next okay so this is the vault server username and the password detail which means you need to specify the i'll show you you need to specify this user this is the cyber rock vault administrator in inbuilt user so it what it will do it will create the pvw environment on your cyber rock vault so you need to specify the password of your administrator like i've already discussed it about in my previous video so if you if you are missing that information you can just go back to my previous video and you can see like how we we have uh specified the password and how we have uh access the cyber arc world so i'm just typing the password here okay so it's checking the connection okay so updating server environment has begun so let's see okay so it's showing several errors occurred during environment creation check the logs okay so our installation part has let me pause and see like what's the error okay the problem was like i have already installed the pvw earlier and i removed a few of the files so that's why it's it was causing the issue so let's repair this so that we are able to install the pbwa properly so let's go to again click on the setup run as administrator let's see if it's asking for the repair so we will just click on repair so like it happens like when you are installing the pvwa for the first time and you are getting some error and you are not able to resolve it properly so it can it can be due to like the praise requisites are not installed on the server or it's not able to connect to the cyber arc vault so that's why the the issues can be so you can just repair you can just click on repair click on next okay so it's repairing so let's see if we are able to install or not otherwise we need to see like the log files and other configuration file if you are missing something or not like because it's a machine like it's a virtual machine and the error you will get here you might not get in the production environment so let's recreate the server environment for the application yes just select the vault address as it is pwa url and just click on next specify the password of administrator let's see yes it's able to connect to the cyber rock vault now we will see if it's able to create the pvwa environment okay so your as you can see your installation part has been completed so without any error because like i have already installed the pvwa earlier before this video and like i want to show you the practical session so that's why i removed so i missed many of the files so few of the files were already present on the cyber arc vault i'll show you what i did let me first log into this private our client just click and log in with your administrator password so you can see like uh when i installed the pvw earlier so there there are the few safes like few saves of the pvwa are automatically created so and i haven't removed those configuration those saved so that's why it was causing the issue so what i did i just renamed i renamed the old saves so that's when the new saves are installed so it won't create any issue so you can see i have renamed the saves to one you can see so these are the old saves and the new saves which i have created recently are puw config which is the main configuration file uh which is the main safe of pvw and it contains the configuration file of psm and cpm and the safe template you can see i'll be explaining this uh in a detailed video later on so just close this safe and you can see other safes like the private user reference just contain the user reference like our users preferences you can see and reports it does have the information related to pvw reports which i'll be showing today only in this video and so these are the inbuilt shapes like where the necessary files are kept and stored and it's accessed using the pvw accounts only so i'll show you the inbuilt users of pbwa just go to tools administrative tools users and groups as you can see these are the inbuilt users and group of pvwa pvw app user is only used for the internal processing internal processing of the pvwa so like when you will open the pvw url so it's processed by the pvw app user only so using this app user you are able to open that url then this is the group pvw app user screw so the member who who are added in this group will will be able to access will be able to control the pvwa and this is the gateway account so this group or user the gateway user you can see are able to get you login access like when you are log into the pvwa which i'll be showing later on so it will what it will do it will fetch your credential from the cyber rock vault and it will it will give you the login access then pvw monitor so it should it will be used for the monitoring your sessions and other recording files which i'll be showing later on then pwa users so again it's a internal use for the internal processing of the pvwa and just okay so just go to your pvwa url okay so your pvw installation part is completed successfully now we will login with pvwa go to internet first go to the internet option you can install the chrome also you can just download the setup from the google chrome and just paste that setup in your windows server and you can just install the google chrome to open the your url open your pvw url web interface okay apply go to security trusted website sites specify your this is the this is your pvwa url like while installing the pvwa there was a pvw url so this is this is the url so just add this close okay so just open that url okay so it will show show you this error because the certificate which we have used is uh not a correct one it's a self signed certificate so in the production you will be getting a secure certificate which will be generated from the certificate authority so just go to the continued to this website okay so this is the web interface this is the web interface of your pvwa using this interface you can access your cyber arc vault so there are two ways of accessing the cyber arc world so first one is like using the you're accessing your cyber arc vault using this client this private client by providing your passwords and second is the this web interface so you can just specify the same username password administrator and your password and you can log into this this is the interface like this is the interface of your pvw you can say web interface so using this interface you will be doing the operational task like onboarding the account uh managing the uh safes and the owners and [Music] more so i'll be again i'll be making a different video on the pvw operational task main configuration and other other things as well as so let's [Music] go to administration this is the v10 interface so i don't like this interface so i'll change this interface to the old one the classic one so just go to the address this administration tabs then option then go to general and scroll it down now you can see this is the use v10 login page so i don't want to use this so what i'll do i'll just no click apply no and apply okay and i'll log in i'll log off and log out so as you can see this so let me go to full screen okay so this is the login option so use your administrator password okay so this is the classic classic view of your pvwa because i don't like the v10 interface so that's why i have changed this interface so okay so now we will be doing our installation part is already completed so what i'll be doing i okay i'll show you these saves master policies other things just go to full mode okay go to policies and access control you can see so these are the inbuilt shapes in build safe of the cyber arc vault and pvwa so like what uh why we use this add safe concept like if there is a if there are two teams like windows and the unix team so they want to access the cyber arc they want to access their server using the cyber account world so what we what we do we will add to safe like we will add two saves you can name it anything windows team so this safe will be accessed by the windows team only so when the any of the any of their team member will login to the this pvw using their domain id so they will they will be on uh will be able to see the their their account only their safes only win this windows team and and same with the unix team uh so when they will log into the cyber arc world so they will be able to see only their accounts only so it's a you can say role based access we can define like you we can give the access to a to a user so that he is able to see the particular account only so we haven't installed the cpm so which i'll be sharing later on so this is the only the overview what are the saves and the policies and you can just segregate the policy by platform itself you can see the policy by single platform so which again i'll be sharing when we will install the cpm then this is the master policies so these are the options like tool control which means like when you will access an account so you will require a permission you will require an approval like when you will request to access an account so the permission like the approval will go to your manager or your lead so when they will approve then only you will be able to access your account then we have the check-in and checkout exclusive it means like when a user like when there is a single account and one of the user is already using that account so it will when you will active this uh setting so what it will do it will lock that account and until that user is not finished with his work so you won't be able to access that account so it means it will lock the account until it's not released by you and okay this is the policy one-time password so it means like when you are using an account when you are using an account to connect to a target server so after that like uh after you are done with your work and when you disconnect the session so it will change your password so what it will do it will change your password whenever you use the account when if you are using your account 10 times a day it will change the password 10 times only okay so this is the option like when you will uncheck this option you won't be able to get the connect option which i'll be showing later on when we will install the psn because psm is a privilege session manager and it will it helps in establishing the connection and okay so this is the required user so when you will click on the connect option then there will be a pop-up you need to specify the reason why you are accessing this account or the server so you need to specify the reason okay so we have the different so i'll be explaining these policies when we will have the cpm installed and the psn so in that case i'll i can show you how the connection goes and how you can change the password of an account etc okay so this is the overview of the saves and the policies and the platform settings so just go to the accounts okay so let me see what are the things i have to explain okay so pvw hardening okay so we are messing with the pvw hardening we forgot so it's recommended by cyberdog when you when your installation part is completed you need to harden your machine so that unnecessary services and the files are removed from your server so let me okay so first i'll do what i'll do i'll explain you about the this pvw services and i'll show you how you can showcase your login message like when you will log into the cyber arc okay let me go to full screen mode go to administration option then general and look out for the login message um okay so this is you can see this is the login message you can type welcome to anything anything you want you can just type it here welcome to secrets learning okay and just click on yes it will display your message when you will log into the pvwa so let me log out and see okay so as you can see this is the message back uh welcome to sec caps learning so you can provide anything like uh you can specify welcome to cyber awkward or your company name anything you can specify here so just click on go and you can see these are the authentication methods so you can enable uh radius and other authentication method which are supported by cyberark so ldap means like when we will integrate the active directory with the cyber arc vault then we will be able to uh log into cyberark using this ldap authentication so okay so now i have to change the this uh this uh banner this logo so how we can change it go to your c drive then init pop go to www root password volt and the images okay so login custom logo let me see if it's this is the one no okay this is also not the one okay so this is the okay so this is not the logo let me see what's the okay this is the one so you if you want to change this custom logo anything you want you can just replace uh with your icon and you can just paste your you can say your logo i have to search for that let me logan ca logo custom logo cyber arching okay so this is the home okay so we need to replace this one so let me do one thing i'll copy one of the my my page i can just copy you can copy that directly here okay so it's not allowing directly so let me copy here okay so your icon is copied so go to the same path paste okay so you need to copy the same name first copy before copying that you you can just rename this name should be as it is so let me rename my logo okay so it's renamed so whenever you are making changes in the pvwa configuration file you need to reset the is services so that your changes are applied so just go to the powershell or the command prompt using like run as administrator is reset [Music] okay so is services is started successfully so let's see go to your login page just refresh okay as you can see our logo the home page banner is changed so if you want to change this or the login anything you want if you want to change you can just go to that init pop then images and you can replace your image with the current one and you can you need to provide the same name so after that you can just reset the is services then you will be able to change the images okay so let's see okay so this we are left with the pvw hardening and pvwa services so let me show you first about these services every service of this cyber arc component will either will start from the cyber arc or it will start from private outland so you can just search for cyber op schedule task so this is the cyber ark services like it's used for scheduling the reports if you want to fetch the report so you can this is the service for that [Music] okay so now we will do the hardening process so for that [Music] go to the hardening okay wait a minute okay so this is the configuration like when you are installing the cyber arc pvwa pvwa then when you specify the vault type so it's the configuration file for that so if you want to specify more ip then you can just provide the comma if they are there are dr also like if you have the disaster recovery service so you can specify the ip here by just separating by comma okay so let me go to the hardening [Music] [Music] so these are the inbuilt user gateway user app user and the api gateway user which is uh which is used for the rest api like if we want to connect to the pvwa so there is a rest api used so if you want to change the key for api so you can also change but i'll be making a separate video for that also so let me find the [Music] wait a second let me put okay sorry for the interruption uh i forgot the path like where the hardening folder is there so you can just go to your package go to the installation automation so here you will find the hardening script how you can harden your pvw your pvw server so if you want to specify if you want to make the changes you can just edit the script and if you want to make changes related to your path and the log files and other necessary information you can just add it and you can change it so this is the file so how we can run this file and this is the configuration file you want to change like if i want to change the here this is the file which is used to harden your is and the you can see the is webdave and other is settings remote desktop services etc so wait a minute like let me connect to the z let me connect with my charger so as my battery is getting low just a minute sorry for the interruption so now we are going to harden our pvwa server so how you can harden the machine and before that you can just see the pvw okay so this is for the automatic installation okay so just go to your powershell machine run as administrator and copy this path where your hardening script is kept go to your powershell script go to that part how you can go to that part just type cd double inverted comma when you will right click on that so your path will be copied so let me go to full screen mode close the interval inverted comma and hit enter as you can see you we have moved to the this uh path where our where the hardening script is kept so how we will run that script just type pvwa and click on tab option tab so it will automatically go to that script and after that you can just you need to just hit the enter so your hardening proce process is started so it will take some time like it will harden your is services your other configuration file like when you will access these cyberact pvwa folder or log file so it will show you a warning message it will ask you for the usb user access control so let's wait as you can see the this is a powershell script and you can you will find the script in this uh the package like when you will download the package from the cyber arc sfv you will find this hardening script and there are different types of script like let me show you when your machine like let me show you that also uh okay so when your cpm and pvwa is installed on a single machine and then you need to use this cyberdog hardening script and when the pvw is installed sing on a single server on a standalone server and then you can just use this the script and again if the machine is out of domain which means like the machine is not in domain which i'll be showing later on when we will install the psm like how you can make a machine how you can move a machine into a domain and out of domain okay so these are the four different type of cyber pvw hardening so let's see our hardening process is completed or not okay i think it's already completed operation succeeded and starting it's already started the services is services let's see go to these services and we will check okay the service is running fine and we will check the is okay so i i need to go to as run as administered so it means like when you are log into the pvwa with the other user like you are not using the administrator so you won't be able to access the powershell you won't be able to execute the elevated things like you won't be able to make changes on this server so only the administrator or the member who is the part of the administrator group only can access the configuration file or make the changes on the hard drive so let's let's see okay so our is services are running fine so let's again go to your pvwa and see secaps learning go to welcome to choose your cyber arc inbuilt administrator credential to log into uwa okay so we are good with this our installation and the hardening process and overview of this cyber arc has been completed okay today we will learn about the cpm installation about it prerequisites then the main configuration what are the inbuilt safes and the inbuilt users then the little about the troubleshooting of cpm scanner service then the hardening and also today we will be on boarding one account and we will change the password of that account so okay so before starting uh this video i would like to recommend you like if you haven't watched my previous videos because i'm making a series like where i'll already made a video on the cyber rock vault and the pvwa installation so you can watch those videos and then you can just come to this video because it's a series and today i'll also answer about one thing like in most of the interviews like the question is asked like why the pvw is installed before cpm because earlier before 10.7 the cpm was installed before pvw why the sequence has changed so i'll be uh telling you in this video i'll show you practically how why the sequence was changed so let's start with today's video so first uh let's talk about the prerequisites so basic play requests of installing these cyber components are like the windows server then the dotnet framework and the microsoft visual and also like each component have different prerequisites like pvw has the is and the psm will need the rds and the vault needs to be installed on a dedicated machine so uh on cpm like installing a cpm is very easy like apar like if you compare to the rest of the components so let's open our virtual machine and one more thing like we can install the cpm pvw and psm on a single machine and like in the production you can install on a separate like dedicated virtual machine but like if in a lab we can install all the components on a single machine so let's start with the installation part like i have already copied the setup file of the central uh policy manager or you can say cpm so i'll provide the link in the description where from where you can just download the setup files and like those who don't have the access to the cyber secure file exchange server you can comment below or you can mail me i'll provide you the setup files and and one more thing okay so dotnet framework is already installed on this machine so we will start with the our installation part okay first check if your server cyber rack vault is up or not okay so it's up so we can just install the cpm if our cyber rack vault is down so the installation will fail so that's why we need to check if it's working fine or not okay so let me log out from this also okay so i'm just running the setup file run as administrator okay provide anything here i'm providing secops learning [Music] next this path will i'll leave this path as it is if you want you can change this so our installation has started okay so like if you are installing the cpm so you need to just select the no policy and if you are installing the second pa second cpm so again you need to select this no policy manager was installed because it otherwise it will override the previous cpm installation file so just select no then click on next and provide the vault address the ip address of the cyber rock vault just click on next provide this administrator password this is this is uh sorry cyborg administrator password next so it's creating vault environment like uh so meanwhile the installation part is going on so i'll let uh try to explain about the cyber arc center policy manager so what it does like it's a you can say it it's one of the component one of the important component of the cyber arc and it changes the password of an account so it's used to change the password on account verify and the reconcile part which i'll be showing you after this installation okay so it's showing error while to import platform so we can ignore this error it means like it was not able to import all the platforms which i'll be sharing after the installation part is completed okay and occur an error occurred during service in the last year we can ignore this error we can just troubleshoot after this so click on finish okay so our cpm is installed successfully so there was an error related to the one of these cyber arc uh center policy manager service which i'll be i'll be troubleshooting now so first uh go to your vault and then log into private r client okay as you can see the cpm installation is successfully completed and these are the saves so let me go to details now i can show you later so as you can see these are the cpm saves like cpm uses this say for the internal processing like onboarding the account using windows discovery and the temporary file so these are the uh you can see password manager so this is one of the user like when you install the cpm one user is created which is password manager so our cpm installation is completed successfully if you like these saves were not created then there might be a issue related to the cpm installation but like we can see the safes these are the inbuilt safes and already being created so we can just go to the cpm or you can say pbw so let's see what's the error we were [Music] getting go to services [Music] okay so this is one of the service is not running and the password manager is running fine so password manager service will use to change the password of an account and password or the the it will verify the account reconcile the account i'll show you after this so first we will troubleshoot about the center policy scanner so it's basically used to communicate to the pvwa so that it can run the discovery windows discovery is one of the feature so which helps in scanning your environment so that the privilege accounts are you can know about the privileged accounts how many privileged accounts are there in a in your environment so that you can onboard those accounts so this service is being used only for the windows discovery so we will see like what's the error what's like we are having the issues why it's not running so let's start like okay so some services automatically if they are not okay so let me go to the logs and we'll verify what's the error so go to the program files cyber arc password manager and the log file and this is the cs ca cpm scanner logs so open this so we will check what's the issue okay so it's related to the ssl certificate so like because the cpm scanner service uh interacts for the pvwa so it should trust the ssl certificate so in the production what do you do like the the certificate which which you have issued for the pvwa from uh one of the authority so same certificate should be issued to the cpm so so that it it can trust the pvwa and can build like the you can say trusted uh channel so that uh the cpm scanners service service can be started so okay so it's giving to so let's do one thing go to your is okay so it's giving like because your common name the common name in the certificate is wmsvc but the url of the pvwa is i'll show you is different so that's why it's not able to communicate so first find out your host name so this is the host name copy go to internet option security sites okay so it's opening so do one thing go to cpm folder again password manager then vault because this is the key like this is responsible for coming communicating with the pvwa so go to vault and you will see the in the api address it's the ip so we can just replace this with the host name so let's see if we are able to run that service okay save this file to desktop okay replace this file okay so i'm trying like restart this service again okay again it's showing the same thing so let's again go to the log file ssl okay it's the same thing i think we need to create one more certificate with the host name okay so how you can create a certificate go to the is click on this host name and server certificate create self signed certificate specify the host name here only the host name okay so as you can see the certificate is created so let's import this [Music] oh sorry we need to export this certificate actually we need to put this certificate into the this computer certificate password you can provide anything okay okay certificate is successfully exported so now go to manage certificate manage computer certificates okay go to first remote desktop certificate open this this cas root certificate is not tested to enable us install this certificate okay as you can see it's not trusting this so that's why we need to put this certificate to the trusted rule so how we can import this just all task export sorry we need to export this certificate so that we can upload this to this trusted root one next leave as it is you can copy this on the desktop again you can rename as it is anything you want so and because we have a different certificate with the same name so that's why i'm renaming this save next finish okay so export was successful so let's import that certificate to this right click all task import so it should be local machine only browse that so this was the certificate rd yes we have just renamed this open this and next and this should go to the trusted root one next finish so import was successful now you can just go to the remote and we'll see like if it's able to trust or not so go to the remote desktop certificates open this as you can see the error has gone so okay so we what we will do we will just close this where the previous certificate was exported okay i think it was not exported successfully so let's go to the is again open the is server certificates and this was this was the certificate we just created so right click export export to desktop only specify the name open password okay so i think let's see yes the certificate is imported successfully now we need to put this certificate in to the personal of the pvwa just right click install you can install the pfx the certificates which are in the dot pfx extension you can just click on you can double click or you can right click and you can just install and it should be the local machine not for the current user otherwise when like the different user will face the same issue so it should be always local machine next next and the password which you just specified while exporting the certificate from the is provide your password and check this option because we need the private key as well as to be exported to the uh the certifiers computer certificates just check this option and next click on place browse and it should go to the personal only okay next finish so import was successful so now what we will do go to your is and default website bindings and edit so like this was the certificate this is the self-signed certificate which was created by when we installed the is application so if you are not if you haven't watched that video you can check my previous videos like i have told you about this is and the cell friend certificate so just select the certificate which we have generated just now so select that okay and close so now we need to reset the is so open the command prompt or the powershell as an administrator just click type this command so it getting started yes okay so it's started successfully now we will check like if we first we will check if we are able to login with the pvw or not as you can the your the certificate error has also gone so you can check this if you want like the certificate is okay so now let me check if we can run that service or not okay just click on start okay as you can see the service is restarted successfully so this was related to the ssl certificate only because this service needs to run the windows discovery scan so it needs to communicate to the pvwa so that's why a trust connect trusted connection should be established between the cpm and the pwa and in the production you can just install the certificate uh from like uh you have uh issued a certificate for the pvw from the certificate authority so same certificate should be issued from that authority and it should be imported to the cpm so that the service can be restarted okay now what we will do we will go to the pvw and i'll show you the cpm like what does like what's the use of the cpm central policy manager so let me close this first open your internet explorer open this url login with the administrator okay so let me go to the classic mode so if you want you can go from here also and if you want to disable the v10 mode so i'll show you how to disable that also so if you want to switch just click on this so this is the classic mode so if you want to like disable the v10 mods because most of the like don't like the v10 mode i also don't like this so what i'll do i'll just go to the options then general and click on no apply okay so just let me login again okay so this is the error related to the browser the internet explorer sometimes like you can so let me login with the ip because i think it's not supporting the mutant so let me login with this ip okay now it will support support as you can see like sometimes like the that v10 is not supported in this because the certificate is the self-signed certificate and in the production we have a url instead of this host name this ip so like you can specify anything and the certificate should be for that url only likes uh if you want to specify secapslearning.com or anything if you want so this instead of this ip your your you can specify your url and rest will be followed like followed by password vault okay so now go to the administration as you can see these are the cpm settings and the user this is the user like when you will install the second cpm then you can see the list of the cpm here password manager one two three four so go to general so these are the settings of the cpm okay so we will talk this in my next video when i'll be making a detailed video on every topic so okay so what we will do we will go to the policies we will create a safe click on add save [Music] you can name whatever you want i'll just keep these success and the password manager you can specify the name the cpm like if you have many cpm you can specify which cpm should be attached to this safe and this is the enable object access control if you will check this so you won't be able to uncheck this so this this will be a permanent option so why we are doing this object uh level access control this is the deep granular access which i'll be showing later on like in my uh next coming videos and these are the save last five five account version which means so it will save the last five account version means it will save the last five passwords like if the policies is set for the 180 days like the cpm is changing the password of an account like after 180 days and it will keep those password you can say it will keep those password saved in in the in the in its configuration file so if you want like sometimes what happens the user wants the old password so you can fetch this fetch that password i'll i'll i'll be showing you how you can fetch and this will save the last last 7 days password so just click on save and like how you can give the access like if you want to give access to a to a user so you can just click on the add member if the user is in okay so we haven't installed the if we haven't integrated the ldap so which i'll be doing later on when i finish the psm installation as well as in my next video then i'll be i'll be telling you how you can do the ldap integration how you can provision the access to an external user so now we will just onboard an account okay so it's i don't like the internet explorer so i right now i don't have any choice so if you want you can install the google chrome on this also so go to the accounts so what we will do we will onboard the onboard the local server account local server means i'll show you the so this is the local users and group so i what i'll do i'll on board this account administrator and will show you how the password is changed and all so go to your accounts and for onboarding an account you need to make a safe or you can store the accounts on a single save like if there are if you want to onboard the 100 accounts so you can store those hundred account in a single save also and if you want you you can create another save also because these safes are created for the role base access so like if you have the windows team unix team database base team so every team has their own accounts so windows team one cannot see the database account or the unix unix team cannot see the windows accounts so it's vice versa so that's why we have the safe this safe concept you can say these are all based access so just okay so one more thing before that i need to explain about the platform also okay so these are the platforms you can say platform means like if you want to onboard an account or add an account of a windows then you need to select the windows template and in windows we have the different templates like if it's a domain account domain means the account which which has been created on the active directory your microsoft active directory and you can onboard those accounts using this uh this template or you can say the platform and same we have the server local accounts like the so now i'll be using the this template because i need to onboard the local server account and same you have the desktop local accounts and the unix so we have the different uh templates or platforms you can say to onboard an account and one one more thing like when you are on boarding an account in the production so you shouldn't use the original template you always make a duplicate of that so how you can just duplicate so select any of the platform so right now like i'll be using the windows server local account so what i'll do i'll duplicate of this so how you can duplicate just select that and click on duplicate and rename that so i'll be renaming this windows [Music] you can rename anything win local server save and close as you can see our we have successfully duplicated the account and like when you are on board in onboarding an account the platform should be in active mode only otherwise the password change will not happen or other like you won't be able to connect also so now go to the accounts click on add account select the save seconds don't save any of the account in these in build safe so these are for the cyber arc internal processing so you don't need to save an account to this so you always create a safe it's better to create a new save so click on device type as you can see we have the different device types like when you have an database account or the cloud or the directory so you need to select that only so right now we are using a windows server so just select operating system as you can select this win local server provide the password sorry address address you can provide the same the ip address of this machine the username so we are on boarding the local administrator so specify the local administrator name and the password if you know the password you can specify otherwise you can leave it blank because we haven't we have a concept of the reconcile so reconcile account means like when you don't know the password or the password is lost so reconcile account will reset the password it will log into that machine and it will reset the password so for that reconcile account should have the reset permission change permission of any of any account so just save this so and okay so these are the concept like you can see the logon and the reconcile account logon means so it's basically for the unix machine so like in many organization the root the default user of an unix account root cannot uh login directly on the unix machine so for that we have this concept so you can just use an logon account and so using that account it will login to that machine and this logon account will have the switch permission like scsu hyphen so it will switch to the root so in that case we can just use this logon account concept and the reconcile account means like you can just associate that reconcile account so when your password is lost or or the password you don't you forgot the password so you can just uh click on the reconcile so it will reset your password but right now we don't have any reconcile account and when i'll be installing the active directory then in that case i'll show you the reconcile concept also so okay so as you can see our account is onboarded successfully so just click on the verify so you can see the last verified is not applicable because we haven't verified this account so you can just click on the verify so let's see if cpm is able to verify this account or not so what cpm will do cpm will use this password and it will log on to that machine this machine with this user and it will if if the cpm is able to log in with this user then it will be successfully verified uh if the password is like wrong so it won't be able to login to that machine and it will fail your verification will fail so it it takes times like two to three minutes or sometime five minutes so what i'll do i'll just restart restart the service so that it will be executed immediately in the production don't do that you cannot like restart the service likely in this is the virtual lab so you can just you can do anything so let me refresh as you can see you if you want to see like you can see our last verified is successful you can match the time and if you want to you can go to the activities and check cpm verify password show you success you can see it's success so it means our password is fine so and now i'll show you how you can change the password of an account so just click on change so we have these these three different options so if you want to change the password immediately select this option or if you want to specify the password like if you want to specify your own password then you need to comply with this password complexity and you can specify the password so what it will do it will if you will uncheck this so what it will do after the policies like you have specified the policies of 180 days and when it will going to change the password or on 180 days so it will use this password which you will specify here so if you will select this it will be immediately then this is the chain the password only involved which me it means like the password like which you will provide here will be different from the machine machine means like the password which you have specified here so what sometimes sometimes what happens like user is not able to change the password due to many issue due to many reasons like the network or anything so what they do like they just change the password here and copy that password and just save to this third option so that the password is same on the cyber arc and on the machine okay so we will be using the first option click on ok again wait for some time [Music] so let me restart this again let's see if it's done or not okay so it's done successfully you can see last modified and you can match with the time so our cpm is working fine it's able to change the password and also verify so these this was related to the cpm and okay so i want to show you of the versions so i was talking about this like you can see the two version of the password so when you will change the password like you have changed the password in seven days so like you have changed the password seven times in seven days so there should be seven password listed here so it will save the previous password also like if you want to go to that password then you can use this that password also copy or show okay so windows service so these are the dependencies account dependencies means i'll show you what it is so as you can see these are the services so like if you want to manage like if you meant to manage this service so how you can manage this service with this cyber art like go to properties and log on so like when you will use an account so you will onboard an account and you will specify this service here the service name and the address and that account should be associated here this account so you can specify the name of the account and the password so that what it will do when cyberdog will change the password so that password will also be updated here and this service will be restarted okay then same with the schedule task if you if you are running a scheduler windows scheduler then you can choose this option if you want to uh save that if you want to run that service using the cyber arc you can onboard the dependencies account if it's the is the windows registry complex application etc okay so now let's talk about a bit about the platforms of unix and i'll show you about the cpm settings also so when you will on board when you will edit a platform like we i have just edited this platform so this is basically basically used for the connecting to the unix machine ssh you can see so these are the settings of the cpm automatic password management if you will see general these are the default settings okay so as you can see this is the plugin or you can say plugin controller so it's you it's uh basically like responsible for changing the password so earlier we were having the pm terminal so this is the latest one cyber tpc and rest you have the different settings of the password change the password verification reconcile notifications i'll be explaining all these like in my next coming videos okay so i forgot to let me go to the i think i have four something let me go to the okay i have explained you about the prerequisites installation the main configuration the built-in safes built-in users there there is only one user which is password manager and it's generally used to change the password or verify or you can say the reconcile and running the auto detection auto detection is a feature like using that you can onboard the workstation or you can say the laptops to the cyber arc which i'll be showing again in the later videos because i want to focus more on the basic part so so that you can have an idea about this cyber arc then we will be doing the other operational and the main configuration changes okay i've explained you about the scanner and operational tasks cyberduck saves and the master policies okay master policies is left so let me go to that go to the policies master policies so this policy is related to the cpm so like when you are on boarding an account like you have onboarded an account so the password change the password of that account will change on 90 days like the after 90 days that the password of that account will be expired so if you want you can change this setting also you can just go here and if you want like if you want to specify 180 days or 10 days anything you can just change it here and same you can if you want to change the verification it means like after every seven days a verification like it cpm will verify your account if the password is correct or not okay so this is related to the cpm and about the so let me go to the topics okay so hardening is left i've already explained about the onboarding and account and changing the password of an account hard link is left and the cpm services i have already told you and one more thing sorry i forgot to so in in my starting like starting this video i told you about like why the sequence is changed why the sequence of the pvwa is changed like earlier uh before 10.7 this we were installing the vault and then cpm cpm was installed before the pvwa but now after 10.7 this sequence has been changed and this question is asked several times in the interviews so what's the answer we can install the cpm right now also we can install the cpm uh before the pvw but we need to make some manual changes i'll show you what are the changes go to your cpm installation file password manager and see this is the api key because when you will install the pvwa then you then and you are installing the cpm so this url of the pvwa is automatically specified here but if you will install the cpm before pvw you need to manually specify this and you need to make more more changes so to avoid the manual efforts your uk we are installing the pvwa before like there are several several settings related to the apis like uh cpm scanner service communicates to the pvwa for the windows discovery process so that's why we are installing the pvw before and cpm after that but we can install the cpm also before pvwa but uh in that case we need to make some manual changes and like if it's if those changes are not met we need to troubleshoot a bit so that's why to avoid those manual efforts related to this api and we are installing the pvwa before okay so i think we are done for today's topic so what okay so hardening is left sorry sorry sorry so let's go to your how you can harden your machine first log out this go to your setup file center policy manager installation automation and these are the hardening script if you want to make any changes in the hardening script just edit this and you can see the okay so because it's a virtual machine i won't be making any changes is psm installed no so it will disable the screen saver and other policies related changes so let's run the script use the powershell run as administrator and run this script this cpm hardening just type cpm hit the tab option and just enter so our hardening script is started [Music] one local user of password manager will be will be built and it will be assigned to the cpm services both the services scanner and the password manager i'll show you after the hardening process is completed i think it's completed let me minimize this okay so it's completed we will verify the logs if we have got any error or not but it's showing the [Music] successfully created let me check you can go to the and you can verify the error so let me search for error start disabling the following snmp okay so it's not related to any error this is the one of the service windows error reporting service okay disable service so cpm hardening has disabled this service reporting service changing service to store type disabled okay service reporting do not have dependent servers okay so our we don't have any error so this is the name of the service so that's why it's showing this service because cpm will notify the users like the related to change in password or the verification so that's why it has disabled this reporting service so now go to services search for cyber ark okay so you can see these are the local user when you create the hardening so local users are created password manager user i'll show you the local user so let me close this so this is the user password manager user so like when you will change the password of this user so your service will be stopped and like to run that service again you need to specify the same password which you have changed so how you can specify that password just go to properties and log on and specify that password here because it's using this user to run this service and click on ok and your service will be again restarted already built one window server so we will start with the first active directory how you can install the active directory then promoting that server to a domain controller so open your virtual machine then so i have already built this windows server and i have named this active directory so first of all we will define one ip address to this so go to the local server or you can open this with the command ncpa.cpl so here you can define the ip address from here also so we will go to the local server then the ip address and open this properties then define the two ipv4 so i am using the same series so you can use anything okay so we have defined the ip address so let's bring this ip okay it's fine so now we will start with the active direct installation so open this server manager go to your dashboard then click on add roles and features so let me go to full screen mode [Music] okay [Music] now click on add roles and features click on next next and select this option active directory domain services [Music] click on next and rest will be default restart this destination if required just install this [Music] so while the this active directory is getting installed so what we will do we will power of power of the these machines like where we have installed the cyber arc pvwa and cpm so if you haven't watched that video you can go to my channel and watch my previous videos on the vault installation and the cyber rack pvw installation then the cpm installation so let me log into this [Music] [Music] okay our active directory is successfully installed so just close this so when you will successfully install the active directory domain services then you will see this yellow flag option so you can just click here and you will see this option promote this server to a domain controller so it means like your server will be a domain controller or you can say the active directory just click on this and like here you will find these three options so like if you have already a domain controller then you can add one more and if you want to add a new domain to the existing forest so you can just provide the domain name here so actually we don't have any domain so we will click this option add a new forest and you can provide anything if you want like i'll provide second learning dot com secrets learning.com so you can provide anything if you want so just click on next [Music] and provide the password so it will be the password of your administrator the account which will be used to make the server may to put the server into domain sorry next ignore this this is related to some dns delegation option so we don't require this option so click on next your domain will pop up automatically here [Music] okay so click on next [Music] next uh one or more prerequisites failed so let me check what it is the local item becomes the domain control account where you create a new domain name cannot be because the local administrator doesn't need requirements okay i actually it failed due to the password so let's do one thing provide a strong password here and use the same password while installing this though active directory okay now go to the previous steps and provide that strong password here also [Music] [Applause] click on next [Music] let's see it's verifying the pre-requisites okay now it's showing successfully passed so just install [Music] so meanwhile we will copy the setup file to the this cybera component server so like in the in the virtual lab you can install the pvws cpm and psm on a single machine but in the production you need to install the different component on a dedicated machine only because otherwise there might be the performance issue you won't be able to harden your machine and because the cpm and pvw and psm do have their hardening different hardening script so it's better to install the all the components on a single dedicated machine so actually it's a lab environment so you can install uh all the three components cpm psm and pvw on a single machine so right now we will copy the privilege session manager setup go to the setup and paste and like what are the prerequisites of the uh psms so the basic is the prerequisites are same like you need to have the windows server 12 16 or the latest one and then the microsoft visual and dotnet framework and apart from that like there are extra add-on prerequisites like installing the rds services and then the dom the server should be in domain so these are the few more prerequisites for the psm server so that's why we are building up the active directory so i think active directory is getting installed so let's wait for this wait for some time so meanwhile i'll clear few of the things i'll extract this like again if you want the videos on specific topics you can comment below or you can mail me so that i can make the videos on your topic because right now i am focusing more on the series so i'll be covering first of all the standard installation then we'll have the ha installation then the replication and the brake glass scenario and the restoring a complete vault and the migration the upgrades automation etc so let's delete this okay so let me clear all this okay i think the active direct installation is completed so let's login to this okay okay so let me go to the full screen mode so let me go to server manager [Music] so click on local server and you you can see domain so this is our domain dot com and i'll show you the the accounts and the ou and other active directory default settings so this is the domain secaps learning so these are the users inbuilt users you can see so like when you are working in a company so you need to login using your email or you can say the domain credential to the respective servers or the dashboards so those accounts are created here only like you your id is created in this active directory only and you are provided the access to the respective machines or the servers or anything using a security groups so i'll be making a different video when i'll i'll be telling you about the ldap integration in that i'll show you how you can create the groups and the users and how you can integrate the your active directory to the vault so that the users who are in the active directory can get the login access to the cyberact vault so let me do one thing let me change the password of this account first so reset password so i'm keeping the same password so that's why i didn't forget the password to log in okay so password is changed and i'll do uh okay so that's two users are nf administrator and this i kept learning so i'll see if this user is the part of domain or not oh sorry administrator okay so it's already part of the administrators group so now uh what we will do okay so like when you want to create the ou organizational unit you can say or the user so you need to login to the active directory only and need to widget to this and you can just create a new user or a security group or anything you want so i'll be sharing i'll be telling you in the different video so let's our domain controller is ready and now we will log into the server where we want to install the psm so first you need to bring that uh server into a domain so how you can put that put this server into domain so you go to the local server and you can see right now it's in the work group so work group like you can say is a set of computers you can say about a dedicated uh computer so but in a domain it's a part of the domain like the organization like it's part of the domain or you can say the forest in 4s you have the different routes and all so so i'm not going deep in the work group or the domain i'll be having a different session on that so let's click on the workgroup okay so first we need to change the dns so click on the ip address so where you have specified the ip address so click on the v ipv4 properties and click here prefer dns so you need to put your server and you need to provide the active directory ip here so that it should connect to the domain so click on ok close then click on work group change and click on this domain so if you want to change your name you can change and if you don't want like let it be so domain so specify the domains which you have specified while installing the active directory so set caps learning okay and okay so you need to provide the administrator password or the password like which you used for while installing the active directory so i'm specifying administrator [Music] okay so let's see if it's able to connect to the domain or not so meanwhile we will see if our fault server is online or not so log on to this [Music] okay the server is already up so the user password must be changed before signing in okay [Music] i think we haven't changed that configuration so let's go to your active directory the server manager then the tools and the users and computers and administrator user must so that's why it's showing the user must change the password so just select the password never expire apply okay and one more time reset the password okay password is come successfully change so let's try again click on ok administrator okay let's see and while installing the psm you need to login to that server using a domain credentials like we will use one user to log into this so and okay let's wait for some time okay so welcome to the secaps learning domain so you can see uh this server is successfully uh into the domain so before that before starting that i'll change few things i'll make the domain user a part of the [Music] local administrator group so administrators click on add and specify this location this is the domain location advanced so again it's asking for the credential fine now so let me show administrator is the part of so another domain admins and the administrator is already part of this administrator group apply okay so let's restart this machine so after like you restarted this machine then only this changes will be applied so let's wait it will take again it will take some time so let me minimize this this is our active directory and like in my next videos i'll also uh i'll be sharing a video on like how you can uh create your active directory ca certificate authority then smtp server and there are lots of videos coming i'll be uploading the videos on every sunday on a topic so if you want the videos on a specific topic you can let me know okay so it's completed so let's go to full screen mode and then login to this so you you need to log login with the your domain credential now so just switch user the user specify your domain seconds learning slash use the administrator or any user you want so you are logged in with the your domain user to that server okay okay actually it's a different profile so the setup which we have saved on this have gone so let me login with the different uh that local user so i'll [Music] log in with the different users so use dot slash okay so when you want to login to a machine using a local administrator or the local user you need to specify the dot slash and then the user name otherwise it will go to the domain so you are logged in with i think it's again went to okay let me try the different user okay now you can see like we have logged in with the local user so now you you are able to see this setup file so what we will do we will copy these setups to the c drive so it's copied and now we will remove this we don't want now so let's switch again switch user and login with the domain because we need to install the rds remote desktop services which is one of the prerequisites of the psn okay now first let me uncheck this now click on the dashboard and add roles and features click on next click on the remote desktop because you want to install the rds services so next standard deployment then session based desktop deployment next and these are the three services uh you need to install like these uh if you are having the web browser access you want to access the web browser or the this uh session host so you need these uh services for your psn okay so click on this tool next it will verify the prerequisites okay so click on next okay so just check this option restart the destination server if required then deploy so like after these services are installed successfully then we will be installing our psm server and after that we will check the psn master policies and onboarding account and how we can connect connect to that account and the how we can point one uh single psn to the ps to the platform like if you are having five psm in your environment how you can point one psn so that the connections are made using one psm only so let's wait for some time it's getting installed again like installation part is uh very easy like it's not that messed up you can just follow the documents and you can start building up your lab but the important part is like the post configuration working on the operation part like there you will get many address related to the operational then the related to the user interface internet browser internet sorry internet explorer browser and like there are lots of thing in the operation you you will be learning so you can build your lab environment so that you can get a feel if you are starting with the cyber arc because you will find several videos on the youtube like they haven't made the series like they have made the videos on a topic uh and haven't uh created like how you can build the your virtual lab and windows server installation like many of our many of you don't know how to build your virtual machine and like if you are a fresher so that's why i've started this these the series so okay so don't forget to subscribe my channel and like comment share okay so rds is i think installed so let's login with the same user and in psm also like you will find the so okay so first click on the server manager and see if the roles and features are that those rds are okay so it's running it's in progress so meanwhile we will discuss about the little uh discussion about the psm like the html5 gateway so do one thing go to your setup and you will see this html5 gateway so like in many of the organization like they say like we don't want to use the rdp for the connection so in that case if the rdp ports are not used so in that case we can have the html5 gateway installed so it's a linux based so you need to install just like the psmp i'll be making a different video on on this so in that case it will route like it will convert your request your http request will be converted to the rdp only then the user will be able to connect to the server so it's also one of the great feature by the cyber arc so okay so it's still running let's wait for some time or i'll do one thing i'll pause this video and we'll okay i think okay one of the service failed so let me see what's the error exception of type common idea was thrown okay so next was also remote okay so let me verify one thing close go to your if your this remote management is enabled or not okay so it's enabled and check this option also okay so uncheck this apply okay and go to your active directory also and see if this is okay so you need to allow this sorry we forgot to allow this remote connection to this computer okay so i think rds is installed so we failed with the two so let's run this again click on next remote desktop next session based next click on next so let's try to install again so meanwhile i'll okay so i'll skip this part actually otherwise the video will be too long so okay so i think it's getting succeeded okay so it's it got succeeded so let's close this in virtual machine like you might uh get these errors because while in the production you will get the server and you will have your active directory so you don't need to install the active directory it's for your like the you you can understand understand the basics like how the active directory and the uh your vault will work in my coming videos i'll let you know about the uh vault and the active directory how it uh how the vault and the active directory will be integrated and how they communicate so first we will for the psm we need to build the collection so if you don't want to build the connection it's fine otherwise you need to in the production you need to build this connection so that the connections are not like it can be shared with the resources you can say collection me it it will be shared with the resources and the user will be able to make the connection to their respective servers okay so just click on the collection create session collection and name anything you want so i'll do one thing psm collections next next and in the domain user i'll do one thing i'll add the administrator also so let me click on the find now inbuilt so the administrator will be have access to this then uncheck this option okay create so it's getting installed okay so it's succeeded close this so now we will start with our installation part okay so just go to your setup file and right click on the setup sorry run as administrator [Music] so let's see our vault is up or not otherwise our installation will fail our vault the cyber arc vault should be up so let's see it will take some time like psa psm installation takes time let's wait for some time and meanwhile we will see what are the files in the setup so go to third parties auto id these are related for the automation part like when we will uh making the connection component so i'll be telling you how you can use this and how you can install the auto id also so first and then the hardening the health check okay okay and it's verifying if dotnet framework is installed or not okay i think it's taking time so let me skip this part [Music] so our installation uh psm installation has started so just click on next yes and provide the username anything you want click on next and if you want to change this adder you can next this is the for the recordings so when you will make the connection uh when you will connect to the target server so your recordings your video recording will be saved to this file this safe so this is the pvwa config where the policies related to psm and cpm are stored so click on next so it's installing the oracle instant client i think again it's taking some time let's wait for one or two minutes okay so in meanwhile i'll tell you about the psm like i forgot to explain a little about the psm psm is a privilege session manager and it's used to make the connection like it's you can say it's a jump server so i'll be showing you like when the psm is installed how you can make the connection so it's basically used to make the connection then it records your work like how your connection like your when you are performing something or you are connecting to a server a video recording will be created and the keystroke logs also there and it's like you can say it's uh isolated it's isolate your session so like uh there is no attack on your machine or no one can no one able to access your machine and it creates a one shadow user psm shadow user so when you log in to the pvw first time and you hit the connect button so your one shadow user is created and you can say it's a shadow of your of yours and it makes the connection uh it helps to make the connection to your target machine and it has limited permission your psm shadow user have limited permission and if the psm shadow user got hacked so you won't be like losing anything because it doesn't have any permission on your machine so i'll be showing you that also so psn is taking time like it's taking time and getting installed so let's wait for two to three minutes or i'll skip this part okay i think i need to skip this part as well as okay so it's okay so provide the ip address of your vault and the port would be it's the default part for the communication between the vault and the psm and other components next and specify your cyberdog vault administrator password next and okay so this is for the distributed uh environment like when you are installing the uh vault in a distributed environment then you need to provide the host name so we are not installing any distributed environment so that's why we will skip we won't provide anything so just click on next yes if you want to enable the pki authentication so you can enable but we don't have the pk authentication enabled and so we will live as it is click on next okay so this is one of the great feature so if you were first like earlier we need to harden the machine using a script uh but now like you can harden the machine in the setup itself so let's go to the advanced and see what are the features it does have so you can select the options if you want and the hardening script post hardening script and the tls setting and the other if you want to choose this option you can but i'll do i'll i'll be doing the hardening afterwards so because due to hardening lag there might be issues related to the connection another so i need to make changes in this script then i'll be running the hardening script so i'll uncheck this option and click on next so it's creating the vault environment the psm saves and the psm users will be created now so let's wait let's wait again the psm installation is a bit slow so let me skip this part okay so it's asking for the username so this is the internal user of the psm so it's like its main function is to perform the internal processing like to storing your recordings to the cyber rock vault just you can rename anything if you want so i'll just let psm app click on next so it's the gateway user so like psm gateway user will fetch the password of your target machine and then it will grant you the access to the your target servers so just click on next and i'll also show you like what are the psm app user or the gateway user and the mask psn master have the permission on a particular save so they have the different permission on a particular safe to perform your opera perform the of your operations and okay let me go to the vault and see if it's as you can see administrator quota ownership of safe psm session has been removed so the quota owner is now master i'll show you what does that mean so for if uh let's wait for the this installation part to be completed then i'll log in with the administrator user to the private client then i'll show you the permissions and all like if you want to install a second psm or three or four so the process is same the prerequisites and everything should be same and you need to run the setup but like there will be a different difference like there will be only one difference like while it will ask while you will install the psm it will ask you for the your username psm app user psm gateway user so you need to provide the different name otherwise it will override it will fail so you you can provide the psm app user one app user to gateway user or anything the name should be different the and the rest setting is same again i have to skip this part otherwise the video will be too long okay our installation part is almost completed so we will restart this machine just click on finish so meanwhile we will login to the cyber rock vault and then just click on the private our client login via with your cyborg administrator okay so let me go to full screen okay so you can see uh the safes psm psm live session notification universal connector so these are the inbuilt saves of the psms and i'll show you one thing we got one the safe psm session has been removed and the quota owner is now psm master so go to psm session [Music] okay so this is the psm session and just click on open and then right click properties so it means like the quota like if you want to spec if you want to increase the size because by default it's 50 mb so if you want to increase the size you can just increase it from here and this is now owned by the master master user so you can see the okay and same with the with this safe this unmanaged session accounts so let's go to that as you can see uh this sort sorry the quota is currently owned by the master user so we also don't have the permission to change this so it's the master user who can change this so i'll show you the owners so just click on that and go to owners so you will see these are the default users which have permissions on this save you can see the auditor group have the monitor safe permission then the backup user have the backup safe permission so every user have the different permissions on a particular safe so let me go to the users and group so you can see these are the users in built users of the psm psm app user is generally used for the internal processing of the psn and like storing the your recordings to the vault another internal processing and gateway user like psm gateway user will be used to fetch the target machine's password then it will grant you the login access to the your server you can say and the psn master it's mainly used for the you can say the safe management the recording safe management is done by the psm master and the interests are the pvw users so we have already explained that in my previous video so you can watch that video if you have missed the live session so this is the group related to the live session monitoring live session okay so just log off and see okay so when you will see this error ignore this so sometimes it occurs when you are installing the components in your virtual machine so ignore this so just login with your domain or the local administrator so i'll use the domain one okay so let's go to your okay so it's red don't worry we will delete this okay so we need to harden machine also harden this machine also so verify the installation also go to the program file 86 cyber art then psm then you can see the your basic uh this is the main file of the psm where the psm admin and the psm server id is defined so i'll be showing you like what it's used for psm server is basically used for making the connection it's the id of your psm server so you can route your psn using this id or and when you are having a load balancer then you can change this also and the admin is basically used for the session your session recordings and all and these are the important configuration files which are stored in this safe pvw config safe so now go to the logs if you want to verify psn manager has been terminated so let's see what's that error error timeout has expired so let's see go to your services so let's start this okay so now it's restarted successfully so let's verify the logs again as you can see this is up so now we will log into the pvwa and we'll show you how you can use this psn in making the connection okay internet explorer not responding let's wait let me or reopen this so okay okay again it's not responding i think it's due to the this so let me do one thing let me so hardening so i'll explain about the hardening it's the same thing uh i need to okay so i'll be running the hardening from that where the psm is installed so let me delete this so that we can have some free space so okay now it's fine so let's see okay open that pvw url so last time we have installed the pvw so you can watch that video how you can install the pvwa okay so let me get the hostname this is the pvw url so let me open this okay so it's opening i think it's too slow so main one i'll make few changes in the explorer settings [Music] so let me reopen this okay so login with your administrator [Music] so you can see these are the two users of the psn so let me go to the policies [Music] then go to the this session management so these are the two settings for the psn so if you will not check this option this is inactive right now so you won't be able to connect to your target machine so let me active this saving okay so let me verify one more thing so as you can see this is the psm connect and the admin connect so if you want uh like domain uh psn connect and admin connect can be used so i would like to recommend you only use the domain psm connect and admin connect only when the activex forwarding is enabled in your environment so in that case only you use this these domain admin account psm domain admin account or the psn connect or the local user will be fine so if you want to have the domain then you can just create the psm admin connect and the psm connect account in the active directory and then you can make some changes you can you need to make some changes in the psn configuration file then the in pvw also and then you will be able to use your domain psm connect and admin connect users so okay so let me go to this so right now what we will do we will onboard an account sorry okay it's too slow so let me switch to the classic mode access save then add one save so i i've already explained this about in my previous video so just name anything and this is the cpm password manager save so now we will onboard an account and we will make the connection so let me go to the classic mode [Music] so what i'll do i'll on board one account a domain account so let me create one so go to your active directory then the users and computers then users and just click on new user so we will have this as test test underscore you can keep whatever you want test user then the you this will be your logo name so this name will be used to onboard the account in cyber art so click on next and if you want to uncheck this you can i'll password never expire then password then click on next finish so this is the test user so we are going to on board this in the cyber arc and we will try to make the connection to that so store in safe so we will use the say safes which we have built previously seconds learning then the platform the device so it's a operating system windows so use the domain account because it's a account created on your active directory on a domain so we will use this platform so address address will be your domain controller machine then the username test underscore user and provide the password and save just uncheck this okay so we have on boarded the account so we will try to make the connection so how you can connect and like for the windows machine the psm will use the rdp and it's 3389 it will use the 333 port to make the connection and for the ssh for the unix machine it will use 22 put t okay so let's try to connect click on connect and okay so you are required to specify reason if you want to uh close this part so you can just go to the your policies then the this user require users so just select that click on inactive option and save so now you won't be there won't be any pop-up regarding the reason like it will not pop up for you need to provide the reason so you can connect from here also but i want to connect from why it's not actually there are some performance issues on the classic interface so let me switch back to the v10 interface so v10 interface is like little bit fancy you will see many things you will see like related to compliance and other details as well as in the v10 interface so this is the user so just click on the connect and it's optional as you can see now you need earlier it was mandatory so if you want to resolve like if dns is if you have the dns then it will be resolved successfully if you don't then you can just provide the uh your machine like which you are which you will be logged on to then i'll click on this second so as you can see my domain has appeared so let me provide the remote machine like the machine to which you want to connect so i'll specify the the domain controller ip address so just click on connect open retry so couldn't be downloaded so let me check again we will connect and see i think it's getting blocked rdp couldn't be downloaded view downloads so it's due to the browser so let me see [Music] why this is getting so let me switch to the let me try with the classic if it's the same thing for the classic so just connect log on save this option [Music] specify your save okay so that was related to the return what was that sorry i missed that so let me again see there [Music] the okay so which you can okay so nla the remote computer requires an authentic which your computer doesn't support okay so let's verify for the nla network level authentication so just go to this uncheck this option because like we need to make some uh other changes to get the connection from using the network level authentication so right now we are not using that so just uncheck this and now let's try so open okay so i think it's getting open as you can see you are being recorded it means your video recording has been uh started so this will record your session like uh whatever you will be doing on this machine so it's getting connected let's see okay so contact your administrator the remote desktop might not be enabled or be too busy okay so let's i think it's coming from the active directory only so let's verify one thing let me check if this user is the part of the rdp [Music] so we will grant the rdp access to this so while it was due to the remote desktop user so let's see if it's getting resolved or not so i've made this test user a part of the remote desktop user so that rdp will be allowed so let's see let's try to connect again connect [Music] then save open connect so your session has been started so let's see if we are able to connect now or not [Music] like when you are initiating a rdp connection remote desktop so okay so again we are getting this error please try the remote connection might not be enabled on the right visit also possible that preventing you okay so let's see one more setting so let's go to here and verify this okay so it's there now what is causing that issue password never expires test user everything seems to be fine then okay let me okay so let me verify if the password is correct or not so i'll select this and verify i think i have mistyped the password so i'm verifying the password using the cpn so let's wait for two to three minutes hmm okay so this interface is getting slow and slow so let's see never verified create a 10 we will see in the details activities i think so let me verify one thing so i am sk i am pausing uh as of now so i need to look back like what's causing the issue if i'll troubleshoot uh live so video can be too long so i'm skipping i'm pausing this part not skipping so let me okay sorry for the inconvenience actually i don't want to make this video too long so that's why i was i was troubleshooting on that so i found one solution actually the ports were blocked like when i was taking the manual connection so in the production also like if you are facing the same issue like you are not able to connect to the any of your server using the psn then you can try one thing you can log on to that psm server and open the remote desktop connection using the mstsc and provide the ip address or the host name to which you want the connection if the manual connection works fine then you need to make changes in your psm settings if if you are not able to connect manually also then there is a issue at the server end so let's verify so i'm just connecting to this uh 10.1.1.2 so let's see as you can see it's not going to the next stage so let's wait as you can see your remote desktop cannot uh connect to the remote for one of these reasons so it's due to the port like port is not open at the active directory end and it requires 3389 port so let's go to the active directory [Music] and for like you need to how you can open a port so just go to the search and search for windows firewall oh sorry so like if you in the production you might be having the external fire firewall like cisco or the palo alto then you can allow your communication from that but right now we have the windows firewall only so just click on the inbound and create new rule and live you can also open a port like you can provide the port number also but like this is virtual machine so i'll be allowing all the programs so we will be having further troubleshooting like i'll be using the auto iit and other scripts as well as so that's why i'm opening the port for i'm allowing the firewall for all the programs so just select the program next all programs next allow the connection next and you can rename anything i'll rename this psm inbound in connection psmn just then again you need to click on the outbound then create one new rule again program then all programs allow the connection next psm underscore out finish so let's verify the connection again so i'm just hitting the connect button again so as you can see now it's directly going it's asking for the username and the password so i'll use that test account only so specify the username sorry let's see okay now it's asking for the the connection so it's not the trusted one so if you want to uh secure this also so you can use one ssl certificate so we need to make some some changes in the tls settings and all in the psm then this connection will be also secured but right now we don't have any uh certificate ssl certificate i'll be making a different video on that so click on yes so that it it should trust the connection why are pvw is getting slow it's not getting loaded so let me again okay as you can see we are in so we have logged in with the test user as you can see we have logged in with the test user if you want to verify okay i think this is the [Applause] [Music] if you want to verify so you can see the test user so we are successfully logged in with the manual connections so now we will try with the cyber if manual connection works fine then it will also work from the cyber arcane so let's login to the pvwa password vault web access go to the classic mode and connect open connect so let's see so you are being recorded on notification from cyberark connecting on okay so we are in as you can see we are logged in with the cyber arc so i'll also show you the recordings and all so if you let me do some thing on this so i'll show you the recordings and all the keystroke logs okay so that is fine so just close this connection okay so before that i'll show you one the shadow user earlier i was talking about this shadow user [Music] okay so you can see this is the shadow user group psm shadow users so let me go to the users why i cannot find i think it will be created after some time so we will verify again so the this will be okay so let me verify go to if you want to see the shadow user go to the users and these are the okay so still i cannot see the psm shadow user okay we will see later on i think it will take some time to get created so now i'll show you the recordings and all so go to the okay so i think this user don't have the monitoring permission okay so let me login with the let me go to the server app and check [Music] tools pvw monitor [Music] okay administrator is there i should make the auditor also okay [Music] so i am granting the permission so that administrator can get that monitoring option okay now now you can see this option is enabled so just click on that monitoring so it will show that video like uh earlier we made a connection to the active directory using the test user so it will show the connection so as you can see these are the connection so you can play this play video [Music] your browser doesn't support okay so it's related to the browser only so if you want to see the your video so it's your video has been recorded so that's why i don't like to use the internet explorer so there are few things which are not supported in this browser so you can use the google chrome you want so now okay so let me see what are the things left for today so we have already covered the port saves user operational almost the establishing connection hardening is left services i've already okay so we'll show you again pointing is left shadow user is this okay everything is covered except two things so let me quickly cover that also okay so go to your administration platform manager so if you want to point uh if like if you are having five psm in your environment and if you want to point one of the uh you can say one of the psn to a account so that when the connection is made so it will use that psm only so what we will do we will go to the platform suppose if you want to change for this edit and go to the expand this ui workflows and then click on the privileged session management then change this id so what should be the id so like if this is the psm and you want to route this psn so that this psm is being used for this this unix connection so what you will do you will take this host name and you will specify here with the psm hyphen this so it means like the when you will use this platform like you have onboarded a unix account using this platform then the connection will be uh from this only so you can apply and okay and just restart restart the service so right now i don't have any unix so in this way you can point one psm uh to your to the platform so it's being done from the platform only so let's go to the service let's start with the installation part so first you need to own your virtual machine and like if you haven't watched my video regarding the vault installation psm cpm pvw then i have already provided the link in the description you can visit those link and you can watch those videos because it's a series so if you will start in between then you won't be able to understand like if you are a fresher okay so first of all [Music] click on the create a new virtual machine next okay so like we need to build the first we need to build the windows server and then we will be installing the vault and the then dr walt service so uh because i have already explained about the windows server installation and how you can build your windows server installation the and how you can define the ip addresses so you can watch the previous videos so as of now i am skipping this part when my server will be installed then i'll switch back so for now i'm skipping this so our windows server installation is completed and i have also copied the setup files so as you can see disaster recovery so rest uh installation is same same as the vault like how you install the secaps vault if you haven't watched that video you can watch my previous video i have already explained about the vault installation so everything is same like you need to install the vault and there after the world installation is completed successfully the additional like this is the additional setup so you need to run after completing the uh vault installation this is the disaster recovery service so first of all let's define the ip and the setting should be same as the production vault so let me check this option like in the production like when you are deploying the cyberlock vault and ddr world you you can uninstall the these items except the ipv4 and ipv6 so define the ip in the ipv4 properties and use the following ip address ok so it should be static and you can use the same series so i'm using 4 here click on ok close let's see if we are able to ping or not yes it's pinging so let's see for the production so this is 10.1.1.1 is our production vault ip yes we are able to think that p also so let's start with the installation process so just go to the server first run as administrator click on next and specify the username and the company name standalone and like i'll be making a different video on the ha cluster cyber cluster next destination i'll set as it is and the license so you can use the same license which which we have used in the while installing the setup file so just specify the address then the operator cd path i'm skipping this part i'll be making a different video on this topic remote control agent so we are not installing the distributed vault it's a different concept so i'll skip this part click on next and if you want to harden this machine in the production like while install you are installing the cyber rock vault in the production so you should you should harden your machine in in the virtual lab you can check this option like if you don't want to harden so i'll keep i want to harden this machine so just click on next next so it has started your hardening process has been started so it will remove some unnecessary services and few of the services will be disabled so like to secure the this server so that's why it's uninstalling many of these services in this hardening process so let's see if a production voltage up or not yes it's up let's wait for two to three minutes i think it will take that much time only okay it's completed now it's updating the other configuration files and one more thing like in most of the interviews one question is asked like how the production world and the dr world communicates so they are communicating using the disaster recovery service so like if the production your production is up like this is our production and it's up this server is up and this is our dr so dr service will be replicating the data from the production vault so if you if you will stop the dr service then there will be no connection no connection between the production world and the dr vault so dr service uh is responsible for you can say connecting both these servers using ddr user and if the disaster recovery service is stopped so these are two different servers you can see okay so enter the master password [Music] you can use this same password which you have used while installing the cyber art world like while installing the cyber arc vault and the dr wall the uh configuration the server settings you can say should be same as i identical like the network adapter or the storage or you can say the ram etc because it will replicating the data from the production world so right now i don't want to restart my computer finish so if you want you can install the client also on this machine or you can use the same same client to access both the machine i'll show you how you can access both the machine in in okay so let's see this is our the private tax server and you can say this server is up so before like you can say running the disaster recovery setup you need to stop this service so go to these services and you can if you want you can make it manual and i'll stop this from this console so i'm stopping this right now so it's getting shut down so now we will start with our disaster recovery setup so you just need to run this setup disaster recovery so one service will be installed so click on next accept the license and provide the username so the company name and the name you can provide anything okay so this is the user as you can see please enter the name of the replicate user so this user will be replicating the data from this production wall to this world so what we need to do we need to go to the private ark server and login with your administrator credential so this is our production want so go to tools and we will be using dr this is the user so as you can see it's the part of the dr users group and it has these two permission backup all safe and restore all safe so we will be using this user so like while you install the production vault or the ddr vault for the first time so this user is disabled so just go to the update and uncheck this option and provide one password so you can provide anything so okay and close so why we have created why we have enabled this user because dr user will be replicating the data from this production world secaps vault to the second dr gold so it will use this user dr so provide that password here like if the user was not enabled so our this uh installing ddr might have failed so that's why we have enabled before this so just click on next provide the ip address the address of the vault from where the replication will start it will replicate the data so just provide the production second vault ip here click on next yes now we we want to restart our computer just click on finish okay so it's installed successfully so let's login with the okay our installation part is successfully completed so we will see okay as you can see uh this server is like stopped because right now our production vault is running running fine so when like sometimes what happened this service this server goes down due to any of the reason like logic container is down or due to you can say the network connectivity so this server goes down then automatically this server will come up and it's the data will be synced like the right now the data which is going from this secaps vault and data you are storing to this world will be synced to this dr world so that when the production goes down then they are world come online and the user can access the private arc or pvw or psm or you can say cpm also so let's uh okay first i'll show you the service of the disaster recovery so just go to the services.msc okay so this is the service and rest these services are same like the even notification engine hardened windows firewall logic container and this is the uh extra service you can say wall disaster recovery and it's running fine it's replicating the data from this secaps wall to the this fdr vault i'll show you the log files and all [Music] and you can say database running private database is running and these two services are stopped have been stopped so like when you are running the disaster recovery or you can say the production world private act database and the private ark sorry cyber arc logic container service should be running it should run because the logic container contains the policies related to psm and the pvw and cpm it's the container you can say and database like it's the database it contains the metadata and all so let's go to the log file and go to your program file 86 and this is the logs related to server and the logs which are related to the disaster recovery so go to a pad here first of all we will see the configuration file so you can see this is the main configuration file of the dr world padr dot ini and like how it's replicating the data from the production wall to this sdr and you can see it's using the one uh user like i i'll show you the user dot ini so it does have the password of the encrypted password of the dr user like which we have specified while installing the dr vault and you can say this enable check and replicate enable failover these are settings related to the failover and the database sync so like what it will do it it's syncing the data with the second wall like the data which is already there on this wall it will sync the data and all the data will be come to this server so like if you are failovering like if you are doing the failover to the production to the dr then there like users are not having any an issue while accessing their data and like it's keep on checking as you can see check retries count so like if this server goes down so it will check five times and like after five times it will not get any response from the second world so this server will come online so i'll i'll be discussing more about uh the on this when i'll make a video on the different scenarios of the failover and the active passive scenarios and all and now we will check the log files and this is the vault.ini you can see the production volt type b here because it's replicating the data from the production world to the dr volt now go to the log files and check so as you can see it's running fine it's replicating the data from the production wall to the this dr world and all the saves and all the files are replicated to this world because like uh dr user is the part of default user like when you create a safe so dr user is already mapped to that safe with those two permission backups and the restore save permission so that's why using the dr user it's getting replicated data is getting replicated to the this seconds so now i'll show you the so these were the configuration file and the dr file that you can say log file so so let's verify this also go to server and conf dot in and see so this is the configuration file of this word like when we installed the vault so it's related to that only so when this server will be up so when this server will be up then it will be using this dbpom.ini and other files so let's so we have already hardened this machine okay so now uh what i'll do i'll point i'll point one of the pvwa to this dr and we will be uh we will be making this server active and after making this server active i will be installing the disaster recovery service on the our production world so before that like how you can uh make this server up so just go to the your log file pdr dot rna dot ini so for the safer side what we will do so okay so first verify if the locks is completed or not sorry replication is ended successfully as you can see it will start in like the your replication will start every two to three minutes or you can say five minutes so when this will end like when you will see the this replicate ended so in at that point of time only you should uh make it make this server active otherwise there might be some data loss or sorry uh there might be some related to error you you can get about the data sync or the databasing anything so that's why for the safer side we will wait for some times and when we will see this replicate ended successfully then we will start our this we will make this server active so just wait for sometimes so i think it will take some time as you can see it's entered 40 or sorry 426 and it started after five minutes so i think it will be starting within one or two minutes so meanwhile what we will do we will just go to the configuration file of the pvw and psn and cpm go go to first pvwa and then vault info open the vault dot rna and specify the ip address of your dr world so this is the ip address of the dr world so what it means like when your production is down your production down so it can communicate to this world so it means like when the your production is available then it will communicate to this server this ip and when your dr is available so it will communicate to this so in that case users won't be having any issues so sometimes like what happens users are connected to the production world and production world goes down then pvw automatically will switch to the your dr word so that's why you we are providing the ip addresses of both the vault so just save this file now make the changes for c sorry psm also like for the safer side we are not doing for the cpm so like what happens when the cpms like cpm is already uh already running the running its task on the seconds world and what it does like it's uh before like before changing the password it makes the temporary file where it stores the data like after after 10 days or after 15 days cpm will going to change the password of an account so before 15 or 10 days you can say it will store the temporary data of the of that account so that it can change the password so all the information will be stored on this stamp folder you can see so these are the policies so to be a safer side to avoid the you can say split branch brain scenario we will disable the cpm service so because like sometimes what happens it will change the password in the production world and in the dr vault also so there might be might be a chance like when there might be a password sync issue like password is different in the second world and it's different in the dr mode so me is for for that so to be a safer side we will just stop this service so okay so first i'll change for the psn go to cyborg and psm and make the same changes sorry for so it's stopped so what we will do we will stop the or you can if you want you can disable the cpm services so in my case i'll disable the service and same with i'll do with the password manager so it's done and we have already specified both the ips in the configuration files of the dr and the production so let's see if okay so i think it's still running okay so as per this configuration the there is the auto failover mode so i'll do one thing i'll okay so let it be five only i'll show you how it will communicate to the to volt and how it will be ah you will see the error like it's it was when it was not able to communicate to the seconds wall so let's wait for okay it's still showing so it's a virtual lab so i'll start i'll proceed with but in the production you should take care of this so when you will get this message then only you can start with your failover or anything you want and in the production use first of all you take the full replication a fresh full replication should be taken from the cycaps wall to the dr walt and i'll be making a different video on that so i'll be explaining more in that video so i'm not going in more depth so what we will do we will go to the sec or production world just open your services first go to your private ark server then i'll make it manual because like database private database should be automatic so when when you are restarting your server or you can say you are doing failover so database service will automatically make the service up so that's why i'm making this manual for now so i'll do one thing i'll stop the production world from here so our server is getting shut down [Music] so this is one of the you can say the automatic failover also so let's go to the uh dr vault and i'll do one thing i'll show you the logs so now uh what it will do now it will start communicating so it's already communicate communicating to the second wall so as the server is down so in in that case like dr vaught will be sec fdr vault won't be able to communicate and it will try for five times as per the configuration defined in the pidr dot ini and then it will make this server up so let's wait for few minutes and this like failover mode will be yes when you're active you can say when your server is private arc server service is active then this will be failover mode it will be uh automatically yes will get automatically set to yes so meanwhile i'll do i'll copy the setup from for on this server so just go to the so this is the server actually we have already installed the production on this so [Music] okay so i think it's the hardened machine so it will not allow the copy paste option so what we will do we will copy from this private outline so let's wait once our failover is completed then we will start with this process okay so go to your locks and see okay so as you can see okay so let me go to full screen you can see this error volt transaction failed reason timeout has expired so it has started uh checking the this second volt and it's not getting any response from this vault so it's using one ic mpv for ping for this process i'll show you that is one of the you can say internet control protocol so it's using that protocol to check the heartbeat you can say heartbeat of this world so when it's not getting the response from that so it's uh checking the connection so it will check for five times so let's wait for another two to three minutes so it has checked for two times so let's see and meanwhile we will see if the server is up or not so like what happens in the production there are different scenarios so to do a safe failover or the failback while we are like done with the uh our dr vault is active in that case we can just stop or disable the private tax service on one of the server so just a minute i'm okay sorry for the inconvenience so let's verify the log file so go to your p area and like it has failed for four times so like after one more uh times this server will be active okay so it already uh active so i think it has already checked five times okay so you can see this server is active so this is you can say automatic failover so i'm not going in uh more depth because we need to install the you can say disaster recovery service or on our this production world so meanwhile i'll show you the connection how if it's working fine or not so let's go to your internet explorer sorry we will verify if we are able to login to the pvw or not as you can see this server is down our production is down and our dr server is up so let's verify okay so i think we are able to open the pvwa because it is pointing to the dr and rightly right now sorry okay i think it's taking time so what i'll do i'll try with the ip address i think it's getting slow [Music] so let's wait for one or two minutes let's wait for one or two minutes otherwise i'll restart the service of the pvw okay i'm just resetting the is everything is getting slow so it happens in your virtual machine so now we will start if we see if we are able to connect or not so let's open here so meanwhile what we will do we will copy the setup so we will copy this disaster recovery setup to the production so first login with your okay actually i haven't installed the client on this so need to install that client also okay so now we are in so we will verify if we are able to login or not okay so you can see we have successfully logged in and like the account which we have on boarded previously so let's see if if that account is also replicated successfully or not so okay let's let me okay as you can see this is the user test user so okay so before like i haven't installed the client so let me install the client here because we need to copy the disaster recovery setup you can specify any name so i'll check upstair and the address of your [Music] pr vault okay okay so if i'll restart this machine so in the production you shouldn't do because your production is already down production vault is already down so this is virtual machine so that's why i can restart this machine so let me restart so meanwhile it's getting restarted so let's wait for one or two minutes so meanwhile i'll skip that part okay we are done with the uh private client installation so now what we will do we will copy the setup file uh to this private our client and then we will download the disaster recovery setup file from the second wall second fold so just okay so first login to your dr so use the administrator opens as dr has failed okay sorry i specified the rom [Music] okay so it should be dot 4 so now try okay so we are able to login so this is the safe secaps learning we will be copying the data this disaster recovery to [Music] paste so we have successfully copied now log off and go to your seconds fault and open the private client so here's the thing so this is uh is used for logging to the production world but our production world is down so what we will do we will create one more go to file new server and just just change the this and you can specify anything so click on ok so you can see we have the two private our client two icon so we can log into the dr so right now the dr is active so that's why we can log into the dr only so specify the password okay so i think it will not login there is some connection issue so let me verify if we are able to ping the tr vault from from this server so okay as you can see it's not able to ping so i think there's some related to port so what we will do okay so let me just so we will so it happens like sometimes related to uh you can say report so how you can open the port monster report so go to your inbound rules as you can see there is no inbound rule or outbound rule to accept the communication so i'll show you the inbound rule and outbound rule of dr volt so go to the inbound as you can see this is the inbound rule so we will see what's that so when you will click that you can see the inbound rule it will it's allowing the connection and let me verify the port so this is you can see this is the cyber arc patent port and the default you can say 1858 but in the production we don't have this uh rule you can say so that's why it's not able to login from here so what we will do okay so we will check this one also okay so this is the protocol which i'll i was telling you uh when like how the dr world communicates how it checks the heartbeat of the second world so this is the protocol i see mpv4 so this protocol is responsible for checking the heartbeat you can say from the production world from the active volt so same there will be two rules so what we will do we will go to the seconds and we will create two rules programs all program then click on next allow the connection next so why i'm allowing all the programs so it shouldn't uh like it should allow all the connection so in the production you don't have to do do this because it's already the ports were already opened by the network team or the respective team so in the virtual we are just opening this port so let me open one outbound also let me create one so just click on and allow all the programs so if you want you can allow the custom port also so but it's a virtual machine so that's why i'm allowing all the uh port so you can you can give any name you want so let's try if we are able to login or not so just go to the second dia and try with your administrator password okay as you can see we are able to login now so that was related to the port also the five volt was there was no rule for in the the second wall so now what we will do we will go to the second learning and this is the setup so we will copy this setup to the our desktop okay so we are done so let's close this and we will extract this so before that what i'll do i'll make this service disabled so because when we will install the disaster recovery service so this server this service should shouldn't should not come up so i'll do one thing i'll disable to be in the safer side so just install this disaster record so like why we are installing the disaster recovery service on the production world so here is the two things like when this server was up like the your second vault was up was active so in in that case the dr service was running on this server and it was replicating the data from the from your second wall to the dr volt but right now this secaps vault has active has become active so in that case so you should um replicate the data from this wall to this because now your active world has been changed now this is your active volt and this will act as a dr so that's why we are installing the dr service on this server so there is no data loss or you can say no data sync issue so just run as administrator okay and before that what we will do we will use a different user so that there is no uh password related issue so we will go to the users sorry tools administrative users and the so this is one of the user already inbuilt users so what we will do we will just create one so just create new user [Music] and you can type anything dr i'll use dr under score 2 and it will be yes this is the main thing like this is a dr users you can see these are the users type so when you will uh click on the ep user then it was it will not be able to replicate the data so that's why you should always select the dr user when you are creating a new user and authentication just provide the specify password never expand just specify the password you want okay so it should have the backup all safe and restore all safe permissions and now go to the and yes this should be the member of the dr users group click on ok and you can see our dr underscore tool user has been created now close and logo now go to your setup just click on next yes specify your sorry click on next next yes now you need to specify the user which we have just created so specify the password so what it will do like when uh your this second vote will act as a dr then it will use this uh user to replicate the data so when your this sec fdr vault will act as a dr then it will use the dr user which we have enabled while we were installing the disaster recovery service so just click on next and you need to specify the ipa address of this because now this server is active it's acting as a production now so just specify the ip address okay so if you want you can restart yes we will restart this service so log in and see if okay what happened to this okay okay login with the local administrator so we will verify the logs just go to the pidr logs okay so as you can see it's so now this active server is acting as a dr walt and this dr walt is acting as a active server or you can say the production server so this is the concept behind the uh having a production world and the dr vaught as a backup server you can say so when your production is down then it will automatically will come online and there won't be any user impacted so now it's replicating the data from this wall to this wall so you can see it started replicating everything so what let me verify today's topics so we have already discussed the prerequisites the installation and the main configuration which is the padr dot ini and the ports like it's using the one eight five eight port only and the replication okay so dr full incremental and i'll show you the full replication what does that mean so go to the configuration and the pr so this means so when it's running for the first time it will replicate the full full data you can say the full dump so if you if you want to have if you want to have the full dump now full replication then you can just remove these two lines and save this so just go to the your services and do one thing restart this cyber arc world disaster recovery service which is the dr service so let's go to the log file okay sorry i i'll do one thing i'll create one more log i'll rename this and we will create new log file okay so actually it's using the dr services using this so that's why it will not let you create the new so you can create one when the service dr service is stopped so you can see i'll show you the full application okay so you can see triggering full replication so in this way you can trigger the full replication so it's only and it's only done when the you are doing the failover you are doing this failover in that case you can just run the full replication okay so let me okay sorry for the disturbance actually there was a urgent call so so okay so we were discussing about the full replication so as you can see like when you will remove those two lines from the padr dot ini so it will start the full replication and now when you will go to the padr dot ina then you can verify as you can see these two lines have appeared again so because it has replicated the data so what it will do it will start replicating the incremental now so whatever new things will come to this so it will replicate that data so this was the full replication concept and now we will discuss about the we have already discussed about the dr user and its permissions and the adr world concept so we have already discussed because we need to have one active volt and one passive vault you can see so when active goes down then your passive will become active so users are not impacted and they can use the cyber art without any issues so and we have also discussed about this identical settings because the settings should be same otherwise like you will have issues related to your data sync or you can say there might be some out of sync issues and now we have already discussed about the dr walt services and routing the pvwa we have already discussed okay so one thing is left so i'll show you the connection i will show showing you the connection so let's uh log into your pvw so let me verify if it's still and let me login to active directory also so right now our production is up also adr is acting as a production so first verify if your product your this server is yes it's up so just login with your administrator and before like making the connection we will restart the privilege session psm service so as you can see this service is already stopped so just click on start i think it's taking time so meanwhile what we will do we will switch to classic there shouldn't be any issue regarding the connection so let's go to full mode so just click on refresh okay your service has been restarted successfully so we will try to make the connection now so just click on the connect button and the remote machine should be this this is yeah this is our active directory so right now our psm and the pvwa has been routed to the dr so let's see if we are able to make the connection or not if the connection is successful then the password and the settings of this account is successfully replicated to the disaster recovery world okay it's taking time so let's see okay so we are in we are able to login successfully which means our dr is working fine and it's it has the replicated data from this server to this so let's let me go to the mini mode okay so we'll verify we have already discussed about the padr and we'll check if the production world server is active so i have already explained it uses the ic mpv4 and you can also change the settings so it will use the dro dr user also to check the inactivity between the production and ddr and we have already also discussed about the dr ward log files and also enabled the dr user and also created a new dr user for the production world so at last i'll show you one thing so let me go to ddr login with your administrator so so these are the two user and the both two users are the group or the member of this dr users group and like dr this user will be used when your this sec fdr will be acting as a dr vault and it will use this user to replicate the data and when your production vault is acting as a dr then it will use this user so why we have created these two users to avoid the password authentication issue you can say so when you are doing the failover so sometimes what happens your password is like uh not able to get replicated to the dr to proad or proto-dr so that's why we are using two different users okay so i think we are done for today's video [Music]

Info

Channel: SecApps Learning

Views: 2,496

Rating: 4.9629631 out of 5

Keywords: cyberark full course, cyberark tutorial for beginners, secapps learning, cyber security training for beginners, cyberark demo, cyberark, cyberark vault installation step by step, cyberark vault, cyberark vault installation prerequisites, cyberark pvwa installation, cyberark cpm installation, cyberark psm installation, cyberark psm installation guide, cyberark for beginners, cyberark free training, cyberark free course, cyberark vault hardening, vmware workstation installation

Id: kUS6Zle_yAg

Channel Id: undefined

Length: 319min 22sec (19162 seconds)

Published: Thu Sep 02 2021