版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
pascustomizationCPMPluginsandPluginEnginesBytheendofthissessionyouwillbeableto:DescribebasicCPMPluginsandPluginEnginesfunctionality,architectureandflowDescribethemaindifferencesbetweenPMTerminalandTPCDescribebackendCPMActionsDescribeandcapturetheCPMParameterFileLessonObjectives2Inthissectionwewillreview:CPMActionsLinkedAccountspasswordmanagement
review4CyberArkPrivilegedAccessSecurityCentralPolicyManagerSystemUserPassUnixrootOracleSYSWindowsAdministratorz/OSDB2ADMINCiscoenabletops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3tTojsd$5fhtops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3tgviNa9%Im7yT%wy7qeF$1X5$aq+pTheCPMmanagespasswords,SSHKeysandothersecretsbasedonthepoliciessetbyVaultAdministratorsThereare3passwordmanagementactionsperformedbyCPM:Verify,ChangeandReconcilePasswordmanagementisperformedbythecpmPolicyITEnvironmentVerifyprocessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingcurrentcredentialsSuccessorfailureChangeProcessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingcurrentcredentialsSuccessorfailureGenerate
PasswordConnect&runchangepasswordSuccessorfailureLoginusingnewcredentialsSuccessorfailureStorenewcredentialsreconcileProcessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingreconcilecredentialsSuccessorfailureGenerate
PasswordConnectwithreconcileaccount&runpasswordresetSuccessorfailureLoginusingnewcredentialsSuccessorfailureStorenewcredentialsTherearetwolinkedaccountsthatarecommonlyusedbytheCPMtomanagepasswords,SSHkeysandandothersecrets.Asidefromthesetwoaccountstherecanbeusecasesthatrequirecustomlinkedaccounts.LinkedaccountsUsedwhenthetargetaccountispreventedfromloggingonandthepasswordisknownUsedonaregularbasis–i.e.,itiscommontoblockrootaccessviaSSHA‘superuser’suchasrootshouldnotbeusedasalogonaccountLogonAccountUsedwhenthetargetaccountpasswordis‘lost’orunknownShouldbeusedinfrequentlyNeedstohaveelevatedprivileges(i.e.DomainAdmin)ThisaccountisusuallyaserviceaccountreservedforthispurposeReconcileAccountPluginsandPluginenginesInthissectionwewillcoverthefourPluginEngines:PassChangCANetPluginInvokerPMTerminalTerminalPluginController(TPC)PluginEnginesaretheapplicationsthatperformpasswordmanagementactionsonbehalfoftheCPM.Pluginenginesmanagepasswordsbasedonlogicwrittenandcompiledinplugins.TheCPMdetermineswhichpluginandwhichpluginenginetorunbasedonthePlatformsettings.PassChngCANetPluginInvokerPMTerminalTPCPluginsandPluginenginesPassChngPassChng.exeisthedefaultPluginEngine.PassChngexecutesthelogicinpluginsthatarewritteninCandcompiledasDLLfiles,e.g:PMWindows.dllPMWinService.dllPMODBC.dllPassChngcustomizationPassChngdoesnotprovideaframeworkforcreatingnewplugins.Thatsaid,insomecases,youcancustomizeanexistingplatformtosupportnewdeviceswithouthavingtocreateormodifythepluginitself.E.g.,OracleDatabasewhichusesthePMODBC.dllplugin,cansupportanyODBCcompliantdatabasebycustomizingthepasswordmanagementcommandsattheplatformlevel.CANETPluginInvokerCANetPluginInvoker.exeprimarilyenablesCPMtomanagecredentialsusingAPIs(e.g.AWS,Azure)CANetPluginInviker.exeexecutesthelogicinpluginsthatarewrittenin.NETandcompiledasDLLfiles,e.g:AWSpluginMicrosoftAzurepluginWebApplicationsCANetPluginInvoker(Credentials
Management
.NET
SDK)customizationTheCredentialsManagement.NETSDKframeworkisdesignedtofacilitateaneasywaytocreatenewCPMplug-insin.NETTocreateanewproject,openthetemplateprovidedintheCyberArkMarketplaceorcreateanewprojectasdescribedintheonlinedocumentation.PMTerminal
andtpcPMTerminalisresponsibleformanagingcredentialsinTerminalbasedDevicesusingSSHorTelnet.TPCisgraduallyreplacingPMTerminalwithanewCPMPlugininfrastructure.AsidefromTerminaldevices,PMTerminalandTPCsupportpluginsthatarebasedon:PythonPowerShellcScriptInthistrainingwewillfocusonmanagingTerminaldevicesusingSSH.PMTerminalandTPC(TERMINALPLUGINCONNECTOR)PMTerminalandTPCfunctionasbothaframeworkforcreatingstatemachineplugins,andasanengineforrunningtheseplugins(interpreter).PMTerminalandTPCpluginsaremadeupoftwofiles:a
Prompts
file.a
Process
file.TheProcessandPromptscontainthelogicformanagingpasswordsinterminalbaseddevices,intheformofastatemachine.DevelopingpluginsforPMTerminalandTPCistodeveloptheprocessandpromptsfiles.PLUGINSandCUSTOMIZATIONSystemRequirementsforTPCare:CPMv9.7orhigher.NET4.5.2TPCisProvidedoutoftheboxfromCorePASv10.4.TPCv11.2supportsalloutoftheboxplatformspreviouslysupportedbyPMTerminal.PMTerminalwilleEOLonSeptember2020.PMTerminalTPCPerformance1Unixaccountin45seconds97Unixaccountsin30minutes1Unixaccountin4seconds1500Unixaccountsin30minutesSecurityRequiresexceptionstoMicrosoftDataExecutionPrevention(DEP)andotherSecuritysoftwaresuchasAntivirusDoesnotrequireexceptionstoDEPorothersecuritySoftwareLanguageTCL.NETTPCvsPMTerminalEnginesandplugins
ArchitectureandflowWhentheCPMneedstoperformanactionitspawnsanewprocessoftherelevantPluginEngine,providingtheenginewith:CPMActionSensitiveInformationNon-SensitiveInformationThePluginEngineinvokesthelogicofaplugin.Basedonthelogicoftheplugin,thePluginEngineconnectstothetargetmachineandperformstheaction.PluginEngineCPMTargetPluginSensitiveInformationNon-SensitiveInformationCPMActionArchitectureandflowWhentheCPMneedstoperformanactionitspawnsanewprocessoftherelevantPluginEngine,providingtheenginewith:CPMActionSensitiveInformationNon-SensitiveInformationThePluginEngineinvokesthelogicofaplugin.Basedonthelogicoftheplugin,thePluginEngineconnectstothetargetmachineandperformstheaction.PassChng.exeCPMTargetPMWindows.dllCANetPluginInvokerCyberArk.Extensions.Plugin.Azure.dllPMTerminal/TPCUnixProcess.iniUnixPrompts.iniSensitiveInformationNon-SensitiveInformationCPMActionArchitectureandflowPMTerminalinvokesthelogicintherelevantplugin.WhenmanagingSSHdevicesPMTerminalspawnsplink,aterminalemulator(CLIPuTTy)plinkconnectstothetargetmachineusingSSH.PMTerminalinteractswiththeplinkusingasharedbufferinthemachine’smemoryPMTerminalCPMplink.exeLoginas:\nPassword:\nroot@centos$SharedBufferUnixSSHProcess.iniUnixSSHPrompts.iniPluginPMTerminalarchitectureandFlowtargetTPCinvokesthelogicintherelevantplugin.UnlikePMTerminal,TheconnectionoverSSHisnotdoneusingplink.Instead,TPCusesalibrary(SSH.NET)thatfunctionsasaterminalemulator.ForbackwardcompatibilitywithPMTerminalplugins,instructionsinthepluginforlaunchingplinkremainthesame.TPC(SSH.NETlibrary)CPMTargetUnixSSHProcess.iniUnixSSHPrompts.iniPluginTPCarchitectureandFlow
Cpmactions
InthissectionwewilllookattheCPMactionsthattakeplaceinthebackendbetweentheCPMandthePluginEngine:VerifypassLogonChangepassPrereconcilepassReconcilepassVerifyPassLogonChangePassPreReconcilePassReconcilePassCPMActions(BehindtheScenes)VerifytheExistingPasswordPluginEngineCPMTargetVerifyPassLogonwithCurrentCredentialsSuccessorFailurePromptverifyVerifytheExistingPasswordGenerateaNewPasswordChangethePasswordPluginEngineCPMTargetLogonLogonwithCurrentCredentialsSuccessorFailureLogonwithCurrentCredentialsGenerateNewPasswordPromptPromptPromptSuccessorFailureChangePasswordPromptChangePassLogonwithNewCredentialschangeVerifytheReconcilePasswordGenerateaNewPasswordReconcilethePasswordPluginEngineCPMTargetPreReconcilePassLogonwithReconcileCredentialsSuccessorFailureLogonwithReconcileCredentialsGenerateNewPasswordPromptPromptPromptSuccessorFailureReconcileAccountPasswordPromptReconcilePassLogonwithNewCredentialsreconcileInthissectionwewilltakealookattheinformationsentfromtheCPMtothepluginengine:SensitiveinformationNon-sensitiveinformation
Sensitiveandnon-sensitiveinformationInordertomanagepasswordstheCPMneedstoprovidethePluginEnginewiththefollowinginformation:CPMActionNon-SensitiveInformationSensitiveInformationNon-SensitiveInformationreferstopropertiesfromthetargetaccount,linkedaccountsandplatform(additionalpolicysettings).SensitiveInformationreferstocredentialsCurrentPassword-pmpassNewPassword-pmnewpassLogonPassword–pmextrapass1ReconcilePassword–pmextrapass3SensitiveInformationNon-SensitiveInformationPluginEngineIPAddressUsernameLogonReconcilePortPluginVerifyPassLogonChangePassPreReconcoileReconcilePassCPMActionSensitiveandnon-sensitiveinformationSensitiveinformationSensitiveinformationSensitiveInformationreferstocredentials:TargetaccountpasswordTargetaccountnewpasswordLinkedaccounts’passwordsTheCPMsetsthesecredentialsasenvironmentalvariablesinmemory,makingthemavailableonlytotherelevantPluginEngineprocess.VariableCredentials%pmpass%TargetAccountcurrentpassword%pmnewpass%TargetAccountnewpassword%pmextrapass1%Linkedaccount1password%pmextrapass3
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- DB22-T 3629.4-2025 公共机构能耗定额 第4部分:场馆类
- 娱乐场所场地租赁合同安全保障与消防管理协议
- 高端写字楼车位租赁与转让执行合同
- 餐饮店员工离职补偿及竞业禁止协议
- 2025年初中物理八年级下册(沪科版)教学课件 第十章 第二节
- 2025年房地产经营管理考试试题及答案
- 2025年城市规划师资格考试试题及答案
- 桂花雨 课时作业 含答案 统编五年级上册新课标核心素养目标
- 毒理学基础课程教学大纲
- 工程创优策划
- 保险从业考试题库及答案
- 秦安文书考试题及答案
- 食品原料采购与储存管理协议
- 市政道路交通导改方案
- 甘肃省兰州市2025届高三下学期第一次诊断考试(一模)英语试题(解析版)
- 冬季冰面勘察中高密度电法的应用与效果评估
- 人教版五年级下册分数加减法简便计算300道及答案
- 2024中远海运博鳌有限公司“启明星”等你来笔试参考题库附带答案详解
- 地址挂靠合同协议
- SL631水利水电工程单元工程施工质量验收标准第3部分:地基处理与基础工程
- 2025年护士执业资格考试题库(老年护理学)历年真题与模拟试题汇编
评论
0/150
提交评论