Cyber-Ark Interview Questions
These interview questions will help you out in getting your dream job in Cyber-Ark. These questions are generally asked in Cyber-Ark interviews so go through to have a good insight about Cyber-Ark Operations, Implementations, Automations related Q&A.
Q.1. Define your Current CyberArk Infrastructure?
Q.2. Your roles & responsibilities?
Q.3. How to login as a Master User?
Q.4. How to activate a user if get suspended?
Q.5. What are the different ways of onboarding an account?
Q.6. How to increase password retrieval time?
Q.7. Workflow of PSM Connection?
Q.8. Functions of PVWAApp, PVWAGW, PSMAPP, PSMGW Users?
Q.9. What are the ports used by CPM to change password?
Q.10. Why CPM cannot be load balanced?
Generally, interviewer starts the CyberArk interview with this question:
You should talk about your current infrastructure like how many Vaults are there and if Vaults are standalone or in HA, then how many PVWAs, CPMs, PSMs, PSMPs, PTA etc.
You should talk about your infra only as interviewer will be asking the questions on that behalf.
If I must answer this question as per my current lab environment, then it must have been like:
In our current CyberArk environment, we have:
2 Standalone Vaults (One Production Vault and One DR Vault)
We use LDAPs authentication for logging in PVWA
Also tell them how many accounts you manage.
Like in my lab I have onboarded only 3-4 accounts.
In this way, you can answer to above question and if you have more components then paraphrase the above lines accordingly.
Most of the interviewer ask these questions:
Answer this question as per your profile only because interviewer may ask his next questions on behalf of your roles & responsibilities.
If I must answer this question, then it must have been like:
My roles & responsibilities are:
Working as a Subject Matter Expert (SME) and supporting the project in Operations, Upgrades, Implementation to ensure smooth operations.
Upgrading CyberArk components if a new version is released which include Vault, CPMs, PVWAs, PSMPs, AAM, PTA & PSM in HA along with a standalone instance at DR site.
Travelling onsite and discussing with various teams which includes windows, Unix, Networking, and security along with various application team to understand the current privilege accounts being used and understand the current way how these accounts can be managed.
Customizing CyberArk Connection components and making the necessary changes according to client’s requirement.
Helping team in resolving any issues related to any CyberArk component.
Providing training to new employees.
Working on different technologies apart from CyberArk like beyond trust, Certificate Authority, Azure DLP.
You can answer these questions as per your profile and your Daily BAU activities. Don’t say anything apart from it which you don’t know. Because interviewer may ask the questions on that topic.
To login as a master user, we require following:
Master CD or Private (RecPrv) key on Vault
Path of private key in dbparm.ini
Restart of PrivateArk server if recovery private key path was changed
Master user will login from the authorized IP address if defined.
Master user can login only in PrivateArk client using PrivateArk authentication.
Interviewer can ask the basic operations questions too:
When a user login to CyberArk and type the wrong password then after the 5 wrong attempts, user’s accounts get suspended, and user can’t login to CyberArk until the account is activated. The default value is 5 and it can be increased maximum by 99.
To Activate the account:
Login to PrivateArk client using Administrator or any account which have permission to activate the account.
Go to Tools > Users & Groups
Search for that suspended account
Click on that account & go to trusted network
Click on Activate
Now user can login to CyberArk.
Account can only be activated from PrivateArk client not from PVWA.
Q.5. What are the different ways of onboarding an account?
This question can be asked to the L1 profile:
Account can be onboarded using below Methods:
When you try to retrieve the password then there’s a time defined.
Go to Administration > Options > General:
Search for Password Revealing or just go to General settings of PVWA.
Lookout for Password Revealing and increase the time as per the requirements.
Increasing the password revealing time totally depends upon your company’s policy. As in Internet explorer, user can directly copy the password using the copy option but in Google chrome they can’t copy directly. They need to click on show and then double-click and then copy. When they click on show then there’s password revealing time start and its default value is 10 seconds.
CyberArk PSM connection workflow:
When a user clicks on Connect option then PVWAApp user go to Vault and fetches the password of PSMConnect user.
To understand the workflow, one must know about the functions of PVWAGW, PVWAApp, PSMAPP & PSMGW users.
These users are in-built and created when installing PVWA & PSM respectively.
Use of PVWAAPP, PVWAGW, PSMAPP & PSMGW Users:
PVWAApp User: This user is used by PVWA for internal processing. Its’ the only user in the vault who is responsible for opening the PVWA URL. If this user gets suspended, PVWA URL can’t be accessed.
PVWAGW User: This user is generally used for provisioning the other users to the Vault. If this user gets suspended, you won’t be able to login to PVWA.
PSMApp User: This user is generally used by PSM for internal processing. It's used to retrieve configuration from the vault, create recording safes. In new versions, it has the audit and add safes authorization in the vault.
PSMGW User: This user is a part of PVWAGWaccounts group, so it gets the access to all password objects. And used by PSM to fetch the target account’s password.
From the above use of these users, you can see how these accounts are used to grant access to vault or target machine.
CyberArk CPM uses different ports for different platforms.
Below are the ports used by CPM for:
Windows Platform: 135, 139, 445
Unix Platform: 22
For changing the password of windows accounts, CPM uses windows API to connect to that machine and then using the net user command to change the password, for changing the password of Unix accounts, it uses plink to connect to Unix and change the password accordingly. (Different flavors of Linux have different commands to change the password.)
This is question is generally asked for a higher profile.CPM is assigned to a safe and in a single safe you may have many accounts.
CyberArk CPM can’t be load balanced because: There can be multiple passwords out of sync issues. Suppose if CPM is load balanced then any of the CPM will change or verify the password according to the Master Policy and if it fails to change or verify and in that case another CPM tries the same thing and it got successful but how the first CPM will know... It will push change again so in that case there will be lot of out of sync issues.
In simple term you can say, to avoid split - Brain scenario!
In a different way we can load balanced the CPM. Suppose we have two CPMs and two teams named Windows, Unix teams. So, for windows team safes we can define one CPM and same for Unix team. In this manner, we can load balanced the CPM.
Your email address will not be published. Required fields are marked*
Copyright 2022 SecApps Learning. All Right Reserved
Hi, I have doubt in PSM Connect workflow. 1. Is PSMGW user connects to vault and fetches the target server account password or PVWA App user? 2. PSM Shadow user will be used for only Unix target servers right. What happens if the target server is a windows machine? PSM Shadow user connects to the target server with the protocol chosen by the user.
Much thanks to Neer singh. The content is well organised and focused on hands on videos. This courses are extremely valuable.It strengthened my technical skills and proved to be a great learning experience. This course gave more confidence in technology. Especially the interview questions were very helpful for me to clear the interviews.