During a High Availability (HA) node switch, if an error occurs and the Cluster Vault Manager Utility fails back to the original node, you should check the following log files to investigate the cause of the issue:

VaultDB.log : This log file contains information related to the database operations within the CyberArk Vault.  It can provide insights into any issues that may have occurred during the database transactions at the time of the node switch 1 .

PM_Error.log : The PM_Error.log file records errors encountered by the Password Manager (PM) during its operations.  This log can help identify any issues related to password management that might have contributed to the failure of the node switch 1 .

ClusterVault.console.log : The ClusterVault.console.log file includes error, warning, and information messages from the CyberArk Digital Cluster Vault.  It is used for advanced troubleshooting and can reveal details about the error that caused the failback to the original node 2 .

References :

CyberArk Docs - Troubleshooting High Availability issues 1

CyberArk Docs - Monitoring the CyberArk Digital Cluster Vault Server 2

  According to the CyberArk documentation 1 , the Password Upload utility must run from the Central Policy Manager (CPM) server. This utility works by uploading passwords and their properties into the Password Vault from a pre-prepared file, creating the required environment, when necessary.  It is run from a command line whenever a password upload is required 1 .

Comprehensive Explanation : The Privileged Threat Analytics (PTA) sensors are designed to collect specific types of data to detect potential security threats. For the alert category of  Unmanaged privileged account , the  Network Sensor  and  PTA Windows Agent  are responsible for collecting the relevant data. Similarly, for the alert category of  Anomalous access to multiple machines , data is collected from  Logs , the  Vault , and optionally from  AWS  and  Azure . The  Suspicious activities detected in a privileged session  category relies on data from  Logs , the  Vault , and optionally from  AD ,  AWS , and  Azure . Lastly, the  Suspected credentials theft  category also utilizes the  Network Sensor  and  PTA Windows Agent  for data collection.

References :

CyberArk’s official training materials and documentation provide detailed information on PTA sensors and the types of data they collect for different alert categories.

 In addition to the permissions to add accounts and update account contents, the permission to  Update Account Properties  is required to add a single account to a safe in CyberArk.  This permission allows the user to modify the properties of an account, which is a necessary step when adding a new account to ensure that all relevant details and configurations are correctly set 1 .  References : The information provided is based on general knowledge of CyberArk PAM best practices and the permissions required for account management as outlined in CyberArk’s official documentation

 A usage is a configuration that allows CyberArk to manage passwords for files, such as XML or INI files, that are stored on remote machines. A usage is associated with a parent account, which is the account that has access to the file. To update the password of a usage, the least intrusive way is to use the “sync” button on the usage’s details page. This will synchronize the password value between the Vault and the file, without changing the actual password. The “change” button will initiate a password change process by the CPM, which will generate a new random password for the usage and the file. The “reconcile” button will initiate a password reconcile process by the CPM, which will use a reconcile account to reset the password of the usage and the file to the value stored in the Vault.  References :  Usages ,  Manage passwords for usages

 When using the CreateCredFile Utility to harden Credential Files (CredFiles), it is important to include parameters that enhance security.  The Host IP Address, Client Hostname, and Vault IP Address are parameters that can be used to specify the environment in which the CredFile is valid, thereby restricting its use to specific machines or networks 1 . This helps prevent unauthorized access to the CredFile and ensures that it is only used in the intended context.

References :

CyberArk’s official documentation on the CreateCredFile utility provides insights into the security mechanisms used to protect credential files, including the use of environmental key materials such as application-based, machine-based, and component-based materials 1 .

For a deeper understanding of how to secure Credential Files and the use of the CreateCredFile Utility, refer to the CyberArk Defender PAM course materials and study guide 2 .

According to the CyberArk Defender PAM documentation 1 , when creating an onboarding rule, it will be executed upon both all accounts in the pending accounts list and any future accounts discovered by a discovery process. This means that the rule will automatically onboard and provision the accounts that match the rule criteria, regardless of when they were discovered. The rule will also apply to any new accounts that are discovered by subsequent discovery processes. This way, the onboarding rule can minimize the time and effort required to securely manage the accounts in the vault.

 A platform is a set of parameters that defines how CyberArk manages passwords and sessions for a specific type of account or system. To allow users to access a Linux endpoint, the platform needs to have a PSM-SSH connection component, which enables transparent connections to Linux machines using the SSH protocol. The PSM-SSH connection component is configured in the Master Policy and defines the settings for the PSM connection, such as the port, the authentication method, and the terminal type. If the platform is missing the PSM-SSH connection component, the users will not be able to click to connect to the Linux endpoint.  References :  Connection Components ,  PSM-SSH Connection Component

 Reconcile and logon accounts can be linked to an account within the platform settings and safe settings. The platform settings define the parameters for its linked accounts in either the Target Account or Service Account that requires them. When linked accounts are specified in the Target Account platform, they appear in the CPM pane of the Account Details page.  Similarly, when they are specified in the Service Account platform, they appear in the CPM pane of the Service Account Details page 1 . Safe settings are also involved in the process of linking accounts, as they determine where the accounts are stored and managed within the CyberArk Vault.

References :

CyberArk Docs - Linked Accounts 1

CyberArk REST API documentation on adding Reconcile and Login Accounts to an Account

 The Master Policy in CyberArk defines the behavior of one-time passwords and exclusive access Exclusive access  ensures that only one user can check out an account at any given time, effectively locking the account during its use to prevent simultaneous access 1 . On the other hand,  one-time password  functionality is designed to change the account’s password after it is used, based on a timer set by the  MinValidityPeriod  parameter in the policy file.  This means that once the password is checked out and the timer expires, the Central Policy Manager (CPM) will change the password 2 . These settings are often used together to maintain accountability and security for the usage of shared privileged accounts.  References :

CyberArk Docs: One-time passwords and exclusive accounts 1

CyberArk Knowledge Article: CPM: What is the difference between “One Time” and “Exclusive” passwords? 2