Pass the CyberArk Sentry CPC-CDE-RECERT Questions and answers with Dumpstech

CyberArk documents that automatic hardening can be bypassed by setting the Hardening parameter in the PSM for SSH parameters file. The PSM for SSH parameters file used during installation is the psmpparms file (created by copying psmpparms.sample and renaming it to psmpparms).

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pas%20inst/cpm-hardening-task-descriptions.htm?Highlight=cpm%20hardening%20accounts#AddsuserstoLocalgrouppolicySecuritysettings

According to best practice, when considering the location of PSM Connector servers in Privilege Cloud environments, the PSM should be placed near the target devices. This placement minimizes latency and maximizes performance by reducing the distance that data has to travel between the PSM servers and the devices they are managing. This is particularly important for maintaining high efficiency and response times during remote session management and operations, which are critical for the overall effectiveness of the Privilege Cloud environment.

On CyberArk Privilege Cloud, updating users' permissions on safes can be done through the Privilege Cloud Portal and the REST API. The Privilege Cloud Portal provides a user-friendly graphical interface where administrators can manage user permissions directly within the portal's safe management settings. Additionally, the REST API offers a programmable way to automate permission updates across safes, which is especially useful for bulk changes or integrating with other management tools. Both methods provide effective means to manage and customize access controls in a CyberArk environment, allowing for detailed permission settings per user on specific safes.

CyberArk’s official guidance for restricting a platform to specific Safes is to set the AllowedSafes platform parameter in the General section of the platform under Automatic Password Management.

AllowedSafes uses a regular expression to match Safe names, which is why a pattern such as (WINDEMEA)|(WINDEMEA_ADMIN) is used to allow exactly those two Safe names.

When deploying a CyberArk Identity Connector to integrate Privilege Cloud Shared Services with an Active Directory environment, the server hosting the Identity Connector must meet specific requirements to ensure proper integration and functionality. The necessary condition is:

The Identity Connector Server must be joined to the Active Directory (Option A). This requirement ensures that the server can communicate effectively with the Active Directory services and manage identity data securely and efficiently. Being part of the Active Directory domain facilitates authentication and authorization processes required for the connector to function correctly.

In a PSM Load Balanced Virtual Server Configuration, the default service ports/protocols used are RDP/3389 and HTTPS/443. RDP (Remote Desktop Protocol) typically uses port 3389 for remote desktop services, which is essential for PSM functionalities involving remote sessions. HTTPS, which utilizes port 443, is used for the PSM Health Check service to ensure secure and encrypted communication during the monitoring and health verification processes of the PSM services.

In the Shared Services (ISPSS) model, directory services (AD/LDAP) are integrated through CyberArk Identity / Identity Administration using the Identity Connector, which enables secure communication between Identity Administration and the customer’s AD/LDAP. This aligns with C.

For LDAPS, CyberArk states LDAP communicates with the Identity Connector over TLS/SSL (port 636) and that, during the handshake, the LDAP server presents an X.509 certificate; therefore the machine running the Identity Connector must trust the issuing CA/cert chain. This is exactly D.

Why the other options are not correct for Shared Services:

A describes the Privilege Cloud Portal LDAP mapping UI used in the Privilege Cloud Standard LDAP integration flow (User Provisioning > LDAP Integration), not the Shared Services Identity Administration directory service integration path.

B “Secure Tunnel required” is a requirement called out for connecting LDAP in the Privilege Cloud Standard flow (CyberArk Support defines the secure tunnel), but Shared Services LDAP/AD authentication is handled via the Identity Connector model.

E is not a Shared Services requirement; the trust is established on the connector machine (D), not by sending the CA cert to CyberArk Support.

CyberArk’s predefined groups documentation describes the Auditors group as having View audit plus Safe viewing-related authorization (documented as View Safe Members, enabling visibility into Safe contents/activity/owners list). This matches the intent of “View Audit + View Safe” in the question better than the other options.