PAM-SEN

Question 1

You are installing a CPM.
In addition to Add Safes, Add/Update Users, Reset Users’ Passwords and Manage Server File Categories, which Vault authorization(s) does a CyberArk user need to install the CPM?

Answer 1

B. Activate Users

Question 2

In which configuration file do you add LoadBalancerClientAddressHeader when you enable x-forwarding on the PVWA loadbalancer?

Answer 2

B. web.config

Question 3

You are configuring SNMP remote monitoring for your organization’s Vault servers.
In the PARAgent.ini, which parameter specifies the destination of the Vault SNMP traps?

Answer 3

A. SNMPHostIP

Question 4

You want to improve performance on the CPM by restricting accounts for the CYBRWINDAD platform to only the WINDEMEA and WINDEMEA_Admin safes.
How do you set this in CyberArk?

Answer 4

A. In the CYBRWINDAD platform, under Automatic Password Management/General, configure AllowedSafes and set to (WINDEMEA)|(WINDEMEA_ADMIN).

Question 5

Before the hardening process, your customer identified a PSM Universal Connector executable that will be required to run on the PSM.
Which file should you update to allow this to run?

Answer 5

A. PSMConfigureAppLocker.xml

Question 6

How should you configure PSM for SSH to support load balancing?

Answer 6

A. by using a network load balancer

Question 7

In which configuration file on the Vault can filters be configured to either include or exclude log messages that are sent through SNMP?

Answer 7

A. PARAgent.ini

Question 8

A first PSM server has been installed.
What should you confirm before installing any additional PSM servers?

Answer 8

C. The user performing the installation is not a direct owner in the PSMUnmanagedSessionAccounts Safe.

Question 9

During the PSM installation process, Safes and a User are created.
In addition to Add Safes, Add/Update Users, Reset Users’ Passwords, and Activate Users, which authorization(s) does the Vault user installing the PSM need to enable them to be successfully created?

Answer 9

B. Manage Server File Categories

Question 10

Your customer wants to store the Safes Data on Vault Drive D instead of Drive C.
Which file should you edit?

Answer 10

A. TSparm.ini

Question 11

What must you do to prepare a Windows server for PVWA installation?

Answer 11

A. In the InstallationAutomation folder, run the PVWA_Prerequisites.ps1 file as an administrator in Powershell.

Question 12

Which statement about REST API is correct? (Choose two.)

Answer 12

A. When a user successfully authenticates to the Vault, an authentication token is returned.
D. Each REST API call requires that a valid authentication token be provided.

Question 13

HTML5 Gateway can be installed on which supported UNIX OS versions? (Choose two.)

Answer 13

A. Red Hat Enterprise Linux 7.x
B. CentOS 7.x

Question 14

Which utility should be used to register the Vault in Amazon Web Services?

Answer 14

A. CAVaultManager

Question 15

You are configuring the Vault to send syslog audit data to your organization’s SIEM solution.
What is a valid value for the SyslogServerProtocol parameter in DBPARM.INI file?

Answer 15

A. TLS

Question 16

When creating a distributed Vault environment architecture, what is the maximum number of Vault servers that can be deployed?

Answer 16

C. 6 - 1 primary and 5 satellite

Question 17

Arrange the steps to complete CPM Hardening for Out-of-Domain Deployment in the correct sequence.

Answer 17

1. Locate the CPM_Hardening.ps1 script in the installation media.
2. Open Powershell as Administrator and run the script.
3. Review these script logs: HardeningScript.log and CybrHardeningsecedit.log

Question 18

To enable LDAP over SSL for a Vault when DNS lookups are blocked, which step must be completed?

Answer 18

A. Add the FQDN & IP details for each LDAP host into the local hosts file of the Vault server.

Question 19

In which file must the attribute ‘SignAuthnRequest=”true”’ be added to the PartnerIdentityProvider element to support signed SAML requests?

Answer 19

A. saml.config

Question 20

A customer is moving from an on-premises to a public cloud deployment.
What is the best and most cost-effective option to secure the server key?

Answer 20

C. Install the Vault using the native cloud images and secure the server key using native cloud Key Management Systems.

Question 21

Your customer upgraded recently to version 12.2 to allow the Linux team to use the new MFA caching feature. The PSM for SSH was installed with default configuration settings. After setting the Authentication to SSH key and enabling MFA Caching from the PVWA interface, the Linux Team cannot connect successfully using the new MFA caching feature.
What is the most probable cause?

Answer 21

A. OpenSSH 7.8 or above is not installed.

Question 22

You want to add an additional maintenance user on the PSM for SSH.
How can you accomplish this if InstallCyberarkSSHD is set to Yes or No?

Answer 22

B. Create a local user called proxymng<number>.</number>

Question 23

Which service must be set to Automatic (delayed start) after the Vault is installed and configured?

Answer 23

A. Windows Time service

Question 24

Which SMTP address can be set on the Notification Settings page to re-invoke the ENE setup wizard after the initial Vault installation?

Answer 24

D. 1.1.1.1

Question 25

CyberArk User Neil is trying to connect to the Target Linux server 192.168.1.164 using a domain account ACME/linuxuser01 on domain acme.corp using PSM for SSH server 192.168.65.145.
What is the correct syntax?

Answer 25

C. ssh neil@linuxuser01@192.168.1.164@192.168.65.145

Question 26

In addition to bit rate and estimated total duration of recordings per day, what is needed to determine the amount of storage required for PSM recordings?

Answer 26

A. retention period

Question 27

Which components can connect to a satellite Vault in a distributed Vault architecture?

Answer 27

B. PVWA, PSM

Question 28

You are installing PSM for SSH with AD-Bridge and CyberArkSSHD mode set to integrated for your customer.
Which additional packages do you need to install to meet the customer’s needs? (Choose two.)

Answer 28

A. CARKpsmp-infra
B. libssh

Question 29

Which component should be installed on the Vault if Distributed Vaults are used with PSM?

Answer 29

A. RabbitMQ

Question 30

What is the default username for the PSM for SSH maintenance user when InstallCyberarkSSHD is set to yes?

Answer 30

A. proxymng

Question 31

Which parameter must be identical for both the Identity Provider (IdP) and the PVWA?

Answer 31

C. IdP “Audience” and “ServiceProviderName” in the PVWA saml.config file

Question 32

All 80 employees from your satellite Tokyo office are complaining that browsing the PVWA site is very slow; however, your New York headquarters users are not experiencing this. The current PAM solution is:
2 distributed Vaults, the primary one in New York and a satellite in Tokyo
2 PVWA servers, both in New York with load balancing configured
2 PSM servers, both in New York without load balancing configured
1 CPM server in New York
All PVWA, PSM, and CPM servers are connected to the primary Vault
Which proposal optimally resolves the performance issue while minimizing the impact to production?

Answer 32

A. Install two new PVWA servers in Tokyo data center, configure load balancing, connect to the local satellite Vault and provide the URL of new PVWA servers to the local employees.

Question 33

You have been asked to limit a platform called “Windows_Servers” to safes called “WindowsDC1” and “WindowsDC2”. The platform must not be assigned to any other safe.
What is the correct way to accomplish this?

Answer 33

A. Edit the “Windows_Servers” platform, expand “Automatic Password Management”, then select General and modify “AllowedSafes” to be (WindowsDC1)|(WindowsDC2).

Question 34

The account used to install a PVWA must have ownership of which safes? (Choose two.)

Answer 34

A. VaultInternal
D. Notification Engine

Question 35

DRAG DROP -
Arrange the steps to install the Password Vault Web Access (PVWA) in the correct sequence.

Answer 35

PVWAPrerequisites.ps1 script, PVWAInstallation.ps1 script, PVWARegisterComponents.ps1 script then PVWA_Hardening.ps1

Question 36

Which configuration file and Vault utility are used to migrate the server key to an HSM?

Answer 36

A. DBparm.ini and CAVaultManager.exe

Question 37

There is a requirement for a password to change between 01:00 and 03:00 on Saturdays and Sundays; however, this does not work consistently.
Which platform setting may be the cause?

Answer 37

C. The DaysToRun setting for the platform is incorrect and must be set to Sat,Sun.

Question 38

What must you do to synchronize a new Vault server with an organization’s NTP server?

Answer 38

A. Configure an AllowNonStandardFWAddresses rule for the organization’s NTP server in DBParm.ini on the Vault server.

Question 39

You need to add a new PSM server to an existing CyberArk environment.
What is the best way to determine the sizing of this server?

Answer 39

A. Review the “Recommended Server Specifications” for PSMs in the CyberArk Documents website.

Question 40

Which file must you edit to ensure the PSM for SSH server is not hardened automatically after installation?

Answer 40

C. psmpparms

Question 41

When integrating a Vault with HSM, which file is uploaded to the HSM device?

Answer 41

A. server.key

Question 42

What is a prerequisite step before CyberArk can be configured to support RADIUS authentication?

Answer 42

B. In the RADIUS server, define the CyberArk Vault as a RADIUS client/agent.

Question 43

A customer wants to store PSM recordings for 100 days and estimates they will have 10 Windows sessions per day for 100 minutes each.
What is the minimum storage required for the Vault and PAReplicate for the PSM recordings?

Answer 43

B. 250 GB

Question 44

In large-scale environments, it is important to enable the CPM to focus its search operations on specific Safes instead of scanning all Safes it sees in the Vault.
How is this accomplished?

Answer 44

B. AllowedSafe Parameter on each platform policy

Question 45

In addition to disabling Windows services or features not needed for PVWA operations, which tasks does PVWA_Hardening.ps1 perform when run? (Choose two.)

Answer 45

A. performs IIS hardening
E. imports the CyberArk INF configuration

Question 46

When SAML authentication is used to sign in to the PVWA, which service performs the actual authentication?

Answer 46

B. Identity Provider (IdP)

Question 47

Which components support load balancing? (Choose two.)

Answer 47

B. PVWA
C. PSM

Question 48

Which method can be used to directly authenticate users to PSM for SSH? (Choose three.)

Answer 48

A. CyberArk authentication
B. LDAP authentication
C. RADIUS authentication

Question 49

You are designing the number of PVWAs a customer must deploy. The customer has three data centers with a distributed Vault in each, requires high availability, and wants to use all Vaults at all times.
How many PVWAs does the customer need?

Answer 49

A. six or more

Question 50

After installing the Vault, you need to allow Firewall Access for Windows Time service to sync with NTP servers 10.1.1.1 and 10.2.2.2.
What should you do?

Answer 50

A. Edit DBParm.ini to add: AllowNonStandardFWAddresses=[10.1.1.1,10.2.2.2],Yes,123:outbound/udp.

Question 51

Which command should be executed to harden a Vault after registering it to Azure?

Answer 51

A. HardenAzureFW.ps1

Question 52

Which files does the Vault Installation Wizard prompt you for during the Vault install?

Answer 52

A. Operator CD and License

Question 53

Which statement is correct about a post-install hardening?

Answer 53

C. It is executed after Vault installation by running CAVaultHarden.exe and hardening options can be edited by changing the Hardening.ini file.

Question 54

As a member of a PAM Level-2 support team, you are troubleshooting an issue related to load balancing four PVWA servers at two data centers. You received a note from your Level-1 support team stating “When testing PVWA website from a workstation, we noticed that the “Source IP of last sign-in” was shown as the VIP (Virtual IP address) assigned to the four PVWA servers instead of the workstation IP where the PVWA site was launched from.”
Which step should you take?

Answer 54

A. Verify the “LoadBalancerClientAddressHeader” parameter setting in PVWA configuration file Web.config is set to “X-Forwarded-For”.

Question 55

You are installing the HTML5 gateway on a Linux host using the RPM provided.
After installing the Tomcat webapp, what is the next step in the installation process?

Answer 55

A. Deploy the HTML5 service (guacd).

Question 56

What is required before the first CPM can be installed?

Answer 56

A. The environment must have at least one Vault and one PVWA installed.

Question 57

When configuring RADIUS authentication, which utility is used to create a file containing an encrypted version of the RADIUS secret?

Answer 57

A. CAVaultManager

Question 58

What is the purpose of the CPM_Preinstallation.ps1 script included with the CPM installation package?

Answer 58

D. It verifies the NET version installed on the server and sets the IIS SSL TLS server configuration.

Question 59

Which tools are used during a CPM renaming process? (Choose two.)

Answer 59

A. APIKeyManager Utility
B. CreateCredFile Utility

Question 60

When performing “In Domain” hardening of a PSM server, which steps must be performed? (Choose two.)

Answer 60

A. Import CyberArk policy settings from the provided file into a new GPO.
C. Link GPO to a dedicated OU containing CyberArk PSM servers.

Question 61

Which step is required to register a Vault manually in Amazon Web Services using CAVaultManager?

Answer 61

C. Specify the Cloud region using the /CloudRegion flag

Question 62

What authentication methods can be implemented to enforce Two-Factor Authentication (2FA) for users authenticating to CyberArk using both the PVWA (through the browser) and the PrivateArk Client?

Answer 62

A. LDAP and RADIUS

Question 63

Which pre-requisite step must be completed before installing a Vault?

Answer 63

B. Install a clean operating system.

Question 64

Which browser is supported for PSM Web Connectors developed using the CyberArk Plugin Generator Utility (PGU)?

Answer 64

B. Google Chrome

Question 65

What is a valid combination of primary and secondary layers of authentication to a company’s two-factor authentication policy?

Answer 65

A. RSA SecurID Authentication (in PVWA) and LDAP Authentication

Question 66

You want to add an additional maintenance user on the PSM for SSH.

Answer 66

C. Create a local user and add it to group configured for the parameter AllowGroups in the /etc/sshd_config file.

Question 67

Which authentication methods does PSM for SSH support?

Answer 67

D. CyberArk Password, LDAP, RADIUS

Question 68

Which statement is correct about CPM behavior in a distributed Vault environment?

Answer 68

A. CPMs should only access the primary Vault. When it is unavailable, CPM cannot access any Vault until another Vault is promoted as the new primary Vault.

Question 69

What is the purpose of the PSM health check hardening?

Answer 69

A. Remove IIS settings which can be considered security vulnerabilities.

Question 70

A customer’s environment has three data centers consisting of 5,000 servers in Germany, 10,000 servers in Canada, and 1,500 servers in Singapore. You want to manage target servers and avoid complex firewall rules. How many CPMs should you deploy?

Answer 70

D. 6 total, 2 per data center

Question 71

What is a step to enable NTP synchronization on a stand-alone Vault?

Answer 71

C. Edit dbparm.ini and add a Firewall rule for the NTP address.

Question 72

What are the basic network requirements to deploy a CPM server?

Answer 72

A. Port 1858 to Vault and Port 443 to PVWA

Question 73

You want to change the name of the PVWAappuser of the second PVWA server.

Answer 73

D. Rename user in PrivateArk
E. Create new cred file for user

Question 74

Which statements are correct about the PSM HTML5 gateway? (Choose two.)

Answer 74

B. It does not support connections to target system where NLA is enabled on the PSM server
D. Printer redirection cannot be enabled

Question 75

A customer has five PVWA servers. Three are located at the primary data center and the remaining two are at a satellite data center.

What is important to consider about the load balancer? (Choose two.)

Answer 75

A. It must not alter page content, or should include a mechanism to prevent pages from being altered.
B. It must support “sticky sessions”.

Question 76

A new domain controller has been added to your domain. You need to ensure the CyberArk infrastructure can use the new domain controller for authentication.

Which locations must you update?

Answer 76

A. on the Vault server in C:\Windows\System32\drivers\etc\hosts and in the PVWAApplication under Administration > LDAP Integration > Directories > Hosts

Question 77

You are beginning the post-install process after a manual PSM installation is completed.

What must you do?

Answer 77

A. Disable screen saver for the PSM local users.

Question 78

As Vault Admin, you have been asked to enable your organization’s CyberArk users to authenticate using LDAP.

In addition to Audit Users, which permission do you need to complete this task?

Answer 78

B. Manage Directory Mapping

Question 79

Which user is enabled when replicating data between active and stand-by Vaults?

Answer 79

A. DR

Question 80

This value needs to be added to the PVWA configuration file:

Assuming all CyberArk PVWA servers were installed using default paths/folders, which configuration file should you locate and edit to accomplish this?

Answer 80

A. c:\inetpub\wwwroot\passwordvault\web.config

Question 81

A customer has five main data centers with one PVWA in each center under different URLs.

How can you make this setup fault tolerant?

Answer 81

D. Load balance all PVWAs under same URL.

Question 82

What is the recommended method to determine if a PVWA is unavailable and should be disabled in a load balancing pool?

Answer 82

A. Monitor Port 443 on the PVWA server

Question 83

For redundancy, you want to add a secondary RADIUS server.

What must you do to accomplish this?

Answer 83

C. Open the DBParm.ini on the Vault server. Add the second RADIUS server configuration settings after the first one, separated by a comma.

Question 84

Which parameter must be provided when registering a primary Vault in Azure, but not in Amazon Web Services?

Answer 84

D. /RDPGateway

Question 85

Which component must be installed before the first CPM installation?

Answer 85

C. PVWA

Question 86

You are setting up a Linux host to act as an HTML 5 gateway for PSM sessions.

Which servers need to be trusted by the Linux host to secure communications through the gateway?

Answer 86

A. PSM and PVWA

Question 87

What is a requirement for setting fault tolerance for PSMs?

Answer 87

A. Use a load balancer

Question 88

A customer asked you to help scope the company’s PSM deployment.

What should be included in the scoping conversation?

Answer 88

C. Recordings retention period

Question 89

A customer has three data centers distributed globally and wants highly-available PSM connections in each segmented zone. In addition, the customer needs a highly-available PSM connection for the CyberArk Admins.

What will best satisfy this customer’s needs?

Answer 89

C. two PSMs per zone with a load balancer and two PSMs for Admins with a dedicated load balancer

Question 90

The installCyberArkSSHD parameter on the PSM for SSH can be set to multiple values.

Match each value to the correct condition.

Answer 90

Yes - Override the local SSHD service with a CyberArk customized SSHD service to benefit from full PSM for SSH functionality.
No - Do not install the CyberArk SSHD service. Significant functional limitations apply.
Integrated - The local SSHD service is configured to work through the PAM (Pluggable Authentication Module), which is deployed as part of the PSM for SSH installation. This is the default value.

Question 91

A customer has two data centers and requires a single PVWA url.

Which deployment provides the fastest time to reach the PVWA and the most redundancy?

Answer 91

A. Deploy two PVWAs behind a global traffic manager.

Question 92

What is determined by the “MaxConcurrentConnections” setting within a platform?

Answer 92

A. maximum number of concurrent connections that can be opened between the CPM and the remote machines for the platform

Question 93

If a customer has one data center and requires fault tolerance, how many PVWAs should be deployed?

Answer 93

A. two or more

Question 94

You are installing multiple PVWAs behind a load balancer.

Which statement is correct?

Answer 94

C. The load balancer must support “sticky sessions”.

Question 95

What is a prerequisite step before installing the Vault on Windows 2019?

Answer 95

B. Check that the server IP address is correctly configured and that it is static

Question 96

After installing the first PSM server and before installing additional PSM servers, you must ensure the user performing the installation is not a direct owner of which safe?

Answer 96

A. PSMUnmanagedSessionAccounts Safe

Question 97

A. PSMUnmanagedSessionAccounts Safe

Answer 97

1. Validate that the Primary CPM’s services are stopped and set to manual.
2. On the DR CPM, confirm details in the Vault.ini configuration file, reset the password to the CPM user, and recreate the credential file.
3. Enable the CPM services on the DR CPM.
4. Review logs to confirm the DR CPM services are running as expected.