The Privileged Access Management solution provides an out-of-the-box target platform to manage SSH keys, called UNIX Via SSH Keys.
How are these keys managed?
Correct Answer:
A
SSH keys are a way to authenticate to a target machine with a privileged account, and are subject to the same risks and challenges as privileged passwords. CyberArk provides an out-of-the-box target platform to manage SSH keys, called UNIX Via SSH Keys, which simplifies and automates SSH keys lifecycle management. This platform works as follows:
✑ CyberArk stores the private keys in the Vault, where they benefit from all the security and accessibility features of the Vault, such as encryption, auditing, and backup.
✑ CyberArk updates the public keys on the target systems, using a parent account that has access to the file that contains the public key, such as ~/.ssh/authorized_keys. CyberArk can generate new random SSH key pairs and update the public keys on the target systems according to the organizational policy, such as after a single use, after a predefined period, or manually.
✑ CyberArk can also verify that the private and public keys are synchronized, and reconcile them if they are not, using a reconcile account that can reset the SSH key pairs on the target systems.
References: Manage SSH Keys, Use SSH Keys
When managing SSH keys, the CPM stored the Private Key
Correct Answer:
A
When managing SSH keys, the CPM stores the private key in the Vault. The CPM generates a new random SSH key pair and updates the public SSH key on the target server. The new private SSH key is then stored in the Digital Vault where it benefits from all the accessibility and security features of the Vault. The private SSH key is never stored on the target server, as this would expose it to unauthorized access or theft. The private SSH key cannot be generated from the public key, as this would defeat the purpose of
asymmetric encryption. References:
✑ Manage SSH Keys
✑ SSH Key Manager
✑ Use SSH Keys
dbparm.ini is the main configuration file for the Vault.
Correct Answer:
B
dbparm.ini is not the main configuration file for the Vault. It is one of the several configuration files that control the initial settings and method of operation of the Server. The main configuration file for the Vault is DBParm.ini, which contains the general parameters of the database, such as the Vault name, the Vault IP address, the Vault port, the encryption algorithm, the log retention, and the debug mode1. References:
✑ DBParm.ini - CyberArk, section “Main parameters”
What is the configuration file used by the CPM scanner when scanning UNIX/Linux devices?
Correct Answer:
A
The configuration file used by the CPM scanner when scanning UNIX/Linux devices is UnixPrompts.ini. This file is located in the CPM scanner installation folder and can be customized according to the UNIX/Linux machine’s specific configuration. The file contains parameters that define the prompts and paths for various commands and files used by the CPM scanner, such as login password, sudo password, sudo error, passwd file, group file, shadow file, and sudoers file. References: Configure the CPM
Scanner, CPM Scanner parameters file (CACPMScanner.exe.config)
Which command generates a full backup of the Vault?
Correct Answer:
A
The command PAReplicate.exe with the /FullBackup option is used to generate a full backup of the CyberArk Vault. This command requires the Vault configuration file (typically Vault.ini) and a credential file (specified with /LogonFromFile) that contains the user’s encrypted logon credentials. The /FullBackup option indicates that a full backup of the Vault is to be performed, as opposed to an incremental backup1. References:
✑ CyberArk Docs: Install the Vault Backup Utility2
✑ CyberArk Knowledge Article: PAReplicate Configuration and Usage