pas customization - cpm plugins and engines02定制插件引擎_第1页
pas customization - cpm plugins and engines02定制插件引擎_第2页
pas customization - cpm plugins and engines02定制插件引擎_第3页
pas customization - cpm plugins and engines02定制插件引擎_第4页
pas customization - cpm plugins and engines02定制插件引擎_第5页
已阅读5页,还剩38页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

pascustomizationCPMPluginsandPluginEnginesBytheendofthissessionyouwillbeableto:DescribebasicCPMPluginsandPluginEnginesfunctionality,architectureandflowDescribethemaindifferencesbetweenPMTerminalandTPCDescribebackendCPMActionsDescribeandcapturetheCPMParameterFileLessonObjectives2Inthissectionwewillreview:CPMActionsLinkedAccountspasswordmanagement

review4CyberArkPrivilegedAccessSecurityCentralPolicyManagerSystemUserPassUnixrootOracleSYSWindowsAdministratorz/OSDB2ADMINCiscoenabletops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3tTojsd$5fhtops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3tgviNa9%Im7yT%wy7qeF$1X5$aq+pTheCPMmanagespasswords,SSHKeysandothersecretsbasedonthepoliciessetbyVaultAdministratorsThereare3passwordmanagementactionsperformedbyCPM:Verify,ChangeandReconcilePasswordmanagementisperformedbythecpmPolicyITEnvironmentVerifyprocessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingcurrentcredentialsSuccessorfailureChangeProcessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingcurrentcredentialsSuccessorfailureGenerate

PasswordConnect&runchangepasswordSuccessorfailureLoginusingnewcredentialsSuccessorfailureStorenewcredentialsreconcileProcessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingreconcilecredentialsSuccessorfailureGenerate

PasswordConnectwithreconcileaccount&runpasswordresetSuccessorfailureLoginusingnewcredentialsSuccessorfailureStorenewcredentialsTherearetwolinkedaccountsthatarecommonlyusedbytheCPMtomanagepasswords,SSHkeysandandothersecrets.Asidefromthesetwoaccountstherecanbeusecasesthatrequirecustomlinkedaccounts.LinkedaccountsUsedwhenthetargetaccountispreventedfromloggingonandthepasswordisknownUsedonaregularbasis–i.e.,itiscommontoblockrootaccessviaSSHA‘superuser’suchasrootshouldnotbeusedasalogonaccountLogonAccountUsedwhenthetargetaccountpasswordis‘lost’orunknownShouldbeusedinfrequentlyNeedstohaveelevatedprivileges(i.e.DomainAdmin)ThisaccountisusuallyaserviceaccountreservedforthispurposeReconcileAccountPluginsandPluginenginesInthissectionwewillcoverthefourPluginEngines:PassChangCANetPluginInvokerPMTerminalTerminalPluginController(TPC)PluginEnginesaretheapplicationsthatperformpasswordmanagementactionsonbehalfoftheCPM.Pluginenginesmanagepasswordsbasedonlogicwrittenandcompiledinplugins.TheCPMdetermineswhichpluginandwhichpluginenginetorunbasedonthePlatformsettings.PassChngCANetPluginInvokerPMTerminalTPCPluginsandPluginenginesPassChngPassChng.exeisthedefaultPluginEngine.PassChngexecutesthelogicinpluginsthatarewritteninCandcompiledasDLLfiles,e.g:PMWindows.dllPMWinService.dllPMODBC.dllPassChngcustomizationPassChngdoesnotprovideaframeworkforcreatingnewplugins.Thatsaid,insomecases,youcancustomizeanexistingplatformtosupportnewdeviceswithouthavingtocreateormodifythepluginitself.E.g.,OracleDatabasewhichusesthePMODBC.dllplugin,cansupportanyODBCcompliantdatabasebycustomizingthepasswordmanagementcommandsattheplatformlevel.CANETPluginInvokerCANetPluginInvoker.exeprimarilyenablesCPMtomanagecredentialsusingAPIs(e.g.AWS,Azure)CANetPluginInviker.exeexecutesthelogicinpluginsthatarewrittenin.NETandcompiledasDLLfiles,e.g:AWSpluginMicrosoftAzurepluginWebApplicationsCANetPluginInvoker(Credentials

Management

.NET

SDK)customizationTheCredentialsManagement.NETSDKframeworkisdesignedtofacilitateaneasywaytocreatenewCPMplug-insin.NETTocreateanewproject,openthetemplateprovidedintheCyberArkMarketplaceorcreateanewprojectasdescribedintheonlinedocumentation.PMTerminal

andtpcPMTerminalisresponsibleformanagingcredentialsinTerminalbasedDevicesusingSSHorTelnet.TPCisgraduallyreplacingPMTerminalwithanewCPMPlugininfrastructure.AsidefromTerminaldevices,PMTerminalandTPCsupportpluginsthatarebasedon:PythonPowerShellcScriptInthistrainingwewillfocusonmanagingTerminaldevicesusingSSH.PMTerminalandTPC(TERMINALPLUGINCONNECTOR)PMTerminalandTPCfunctionasbothaframeworkforcreatingstatemachineplugins,andasanengineforrunningtheseplugins(interpreter).PMTerminalandTPCpluginsaremadeupoftwofiles:a

Prompts

file.a

Process

file.TheProcessandPromptscontainthelogicformanagingpasswordsinterminalbaseddevices,intheformofastatemachine.DevelopingpluginsforPMTerminalandTPCistodeveloptheprocessandpromptsfiles.PLUGINSandCUSTOMIZATIONSystemRequirementsforTPCare:CPMv9.7orhigher.NET4.5.2TPCisProvidedoutoftheboxfromCorePASv10.4.TPCv11.2supportsalloutoftheboxplatformspreviouslysupportedbyPMTerminal.PMTerminalwilleEOLonSeptember2020.PMTerminalTPCPerformance1Unixaccountin45seconds97Unixaccountsin30minutes1Unixaccountin4seconds1500Unixaccountsin30minutesSecurityRequiresexceptionstoMicrosoftDataExecutionPrevention(DEP)andotherSecuritysoftwaresuchasAntivirusDoesnotrequireexceptionstoDEPorothersecuritySoftwareLanguageTCL.NETTPCvsPMTerminalEnginesandplugins

ArchitectureandflowWhentheCPMneedstoperformanactionitspawnsanewprocessoftherelevantPluginEngine,providingtheenginewith:CPMActionSensitiveInformationNon-SensitiveInformationThePluginEngineinvokesthelogicofaplugin.Basedonthelogicoftheplugin,thePluginEngineconnectstothetargetmachineandperformstheaction.PluginEngineCPMTargetPluginSensitiveInformationNon-SensitiveInformationCPMActionArchitectureandflowWhentheCPMneedstoperformanactionitspawnsanewprocessoftherelevantPluginEngine,providingtheenginewith:CPMActionSensitiveInformationNon-SensitiveInformationThePluginEngineinvokesthelogicofaplugin.Basedonthelogicoftheplugin,thePluginEngineconnectstothetargetmachineandperformstheaction.PassChng.exeCPMTargetPMWindows.dllCANetPluginInvokerCyberArk.Extensions.Plugin.Azure.dllPMTerminal/TPCUnixProcess.iniUnixPrompts.iniSensitiveInformationNon-SensitiveInformationCPMActionArchitectureandflowPMTerminalinvokesthelogicintherelevantplugin.WhenmanagingSSHdevicesPMTerminalspawnsplink,aterminalemulator(CLIPuTTy)plinkconnectstothetargetmachineusingSSH.PMTerminalinteractswiththeplinkusingasharedbufferinthemachine’smemoryPMTerminalCPMplink.exeLoginas:\nPassword:\nroot@centos$SharedBufferUnixSSHProcess.iniUnixSSHPrompts.iniPluginPMTerminalarchitectureandFlowtargetTPCinvokesthelogicintherelevantplugin.UnlikePMTerminal,TheconnectionoverSSHisnotdoneusingplink.Instead,TPCusesalibrary(SSH.NET)thatfunctionsasaterminalemulator.ForbackwardcompatibilitywithPMTerminalplugins,instructionsinthepluginforlaunchingplinkremainthesame.TPC(SSH.NETlibrary)CPMTargetUnixSSHProcess.iniUnixSSHPrompts.iniPluginTPCarchitectureandFlow

Cpmactions

InthissectionwewilllookattheCPMactionsthattakeplaceinthebackendbetweentheCPMandthePluginEngine:VerifypassLogonChangepassPrereconcilepassReconcilepassVerifyPassLogonChangePassPreReconcilePassReconcilePassCPMActions(BehindtheScenes)VerifytheExistingPasswordPluginEngineCPMTargetVerifyPassLogonwithCurrentCredentialsSuccessorFailurePromptverifyVerifytheExistingPasswordGenerateaNewPasswordChangethePasswordPluginEngineCPMTargetLogonLogonwithCurrentCredentialsSuccessorFailureLogonwithCurrentCredentialsGenerateNewPasswordPromptPromptPromptSuccessorFailureChangePasswordPromptChangePassLogonwithNewCredentialschangeVerifytheReconcilePasswordGenerateaNewPasswordReconcilethePasswordPluginEngineCPMTargetPreReconcilePassLogonwithReconcileCredentialsSuccessorFailureLogonwithReconcileCredentialsGenerateNewPasswordPromptPromptPromptSuccessorFailureReconcileAccountPasswordPromptReconcilePassLogonwithNewCredentialsreconcileInthissectionwewilltakealookattheinformationsentfromtheCPMtothepluginengine:SensitiveinformationNon-sensitiveinformation

Sensitiveandnon-sensitiveinformationInordertomanagepasswordstheCPMneedstoprovidethePluginEnginewiththefollowinginformation:CPMActionNon-SensitiveInformationSensitiveInformationNon-SensitiveInformationreferstopropertiesfromthetargetaccount,linkedaccountsandplatform(additionalpolicysettings).SensitiveInformationreferstocredentialsCurrentPassword-pmpassNewPassword-pmnewpassLogonPassword–pmextrapass1ReconcilePassword–pmextrapass3SensitiveInformationNon-SensitiveInformationPluginEngineIPAddressUsernameLogonReconcilePortPluginVerifyPassLogonChangePassPreReconcoileReconcilePassCPMActionSensitiveandnon-sensitiveinformationSensitiveinformationSensitiveinformationSensitiveInformationreferstocredentials:TargetaccountpasswordTargetaccountnewpasswordLinkedaccounts’passwordsTheCPMsetsthesecredentialsasenvironmentalvariablesinmemory,makingthemavailableonlytotherelevantPluginEngineprocess.VariableCredentials%pmpass%TargetAccountcurrentpassword%pmnewpass%TargetAccountnewpassword%pmextrapass1%Linkedaccount1password%pmextrapass3

人人文库> 全部分类> 教育资料 > 课件下载

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论