




版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
pascustomizationCPMPluginsandPluginEnginesBytheendofthissessionyouwillbeableto:DescribebasicCPMPluginsandPluginEnginesfunctionality,architectureandflowDescribethemaindifferencesbetweenPMTerminalandTPCDescribebackendCPMActionsDescribeandcapturetheCPMParameterFileLessonObjectives2Inthissectionwewillreview:CPMActionsLinkedAccountspasswordmanagement
review4CyberArkPrivilegedAccessSecurityCentralPolicyManagerSystemUserPassUnixrootOracleSYSWindowsAdministratorz/OSDB2ADMINCiscoenabletops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3tTojsd$5fhtops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3tgviNa9%Im7yT%wy7qeF$1X5$aq+pTheCPMmanagespasswords,SSHKeysandothersecretsbasedonthepoliciessetbyVaultAdministratorsThereare3passwordmanagementactionsperformedbyCPM:Verify,ChangeandReconcilePasswordmanagementisperformedbythecpmPolicyITEnvironmentVerifyprocessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingcurrentcredentialsSuccessorfailureChangeProcessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingcurrentcredentialsSuccessorfailureGenerate
PasswordConnect&runchangepasswordSuccessorfailureLoginusingnewcredentialsSuccessorfailureStorenewcredentialsreconcileProcessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingreconcilecredentialsSuccessorfailureGenerate
PasswordConnectwithreconcileaccount&runpasswordresetSuccessorfailureLoginusingnewcredentialsSuccessorfailureStorenewcredentialsTherearetwolinkedaccountsthatarecommonlyusedbytheCPMtomanagepasswords,SSHkeysandandothersecrets.Asidefromthesetwoaccountstherecanbeusecasesthatrequirecustomlinkedaccounts.LinkedaccountsUsedwhenthetargetaccountispreventedfromloggingonandthepasswordisknownUsedonaregularbasis–i.e.,itiscommontoblockrootaccessviaSSHA‘superuser’suchasrootshouldnotbeusedasalogonaccountLogonAccountUsedwhenthetargetaccountpasswordis‘lost’orunknownShouldbeusedinfrequentlyNeedstohaveelevatedprivileges(i.e.DomainAdmin)ThisaccountisusuallyaserviceaccountreservedforthispurposeReconcileAccountPluginsandPluginenginesInthissectionwewillcoverthefourPluginEngines:PassChangCANetPluginInvokerPMTerminalTerminalPluginController(TPC)PluginEnginesaretheapplicationsthatperformpasswordmanagementactionsonbehalfoftheCPM.Pluginenginesmanagepasswordsbasedonlogicwrittenandcompiledinplugins.TheCPMdetermineswhichpluginandwhichpluginenginetorunbasedonthePlatformsettings.PassChngCANetPluginInvokerPMTerminalTPCPluginsandPluginenginesPassChngPassChng.exeisthedefaultPluginEngine.PassChngexecutesthelogicinpluginsthatarewritteninCandcompiledasDLLfiles,e.g:PMWindows.dllPMWinService.dllPMODBC.dllPassChngcustomizationPassChngdoesnotprovideaframeworkforcreatingnewplugins.Thatsaid,insomecases,youcancustomizeanexistingplatformtosupportnewdeviceswithouthavingtocreateormodifythepluginitself.E.g.,OracleDatabasewhichusesthePMODBC.dllplugin,cansupportanyODBCcompliantdatabasebycustomizingthepasswordmanagementcommandsattheplatformlevel.CANETPluginInvokerCANetPluginInvoker.exeprimarilyenablesCPMtomanagecredentialsusingAPIs(e.g.AWS,Azure)CANetPluginInviker.exeexecutesthelogicinpluginsthatarewrittenin.NETandcompiledasDLLfiles,e.g:AWSpluginMicrosoftAzurepluginWebApplicationsCANetPluginInvoker(Credentials
Management
.NET
SDK)customizationTheCredentialsManagement.NETSDKframeworkisdesignedtofacilitateaneasywaytocreatenewCPMplug-insin.NETTocreateanewproject,openthetemplateprovidedintheCyberArkMarketplaceorcreateanewprojectasdescribedintheonlinedocumentation.PMTerminal
andtpcPMTerminalisresponsibleformanagingcredentialsinTerminalbasedDevicesusingSSHorTelnet.TPCisgraduallyreplacingPMTerminalwithanewCPMPlugininfrastructure.AsidefromTerminaldevices,PMTerminalandTPCsupportpluginsthatarebasedon:PythonPowerShellcScriptInthistrainingwewillfocusonmanagingTerminaldevicesusingSSH.PMTerminalandTPC(TERMINALPLUGINCONNECTOR)PMTerminalandTPCfunctionasbothaframeworkforcreatingstatemachineplugins,andasanengineforrunningtheseplugins(interpreter).PMTerminalandTPCpluginsaremadeupoftwofiles:a
Prompts
file.a
Process
file.TheProcessandPromptscontainthelogicformanagingpasswordsinterminalbaseddevices,intheformofastatemachine.DevelopingpluginsforPMTerminalandTPCistodeveloptheprocessandpromptsfiles.PLUGINSandCUSTOMIZATIONSystemRequirementsforTPCare:CPMv9.7orhigher.NET4.5.2TPCisProvidedoutoftheboxfromCorePASv10.4.TPCv11.2supportsalloutoftheboxplatformspreviouslysupportedbyPMTerminal.PMTerminalwilleEOLonSeptember2020.PMTerminalTPCPerformance1Unixaccountin45seconds97Unixaccountsin30minutes1Unixaccountin4seconds1500Unixaccountsin30minutesSecurityRequiresexceptionstoMicrosoftDataExecutionPrevention(DEP)andotherSecuritysoftwaresuchasAntivirusDoesnotrequireexceptionstoDEPorothersecuritySoftwareLanguageTCL.NETTPCvsPMTerminalEnginesandplugins
ArchitectureandflowWhentheCPMneedstoperformanactionitspawnsanewprocessoftherelevantPluginEngine,providingtheenginewith:CPMActionSensitiveInformationNon-SensitiveInformationThePluginEngineinvokesthelogicofaplugin.Basedonthelogicoftheplugin,thePluginEngineconnectstothetargetmachineandperformstheaction.PluginEngineCPMTargetPluginSensitiveInformationNon-SensitiveInformationCPMActionArchitectureandflowWhentheCPMneedstoperformanactionitspawnsanewprocessoftherelevantPluginEngine,providingtheenginewith:CPMActionSensitiveInformationNon-SensitiveInformationThePluginEngineinvokesthelogicofaplugin.Basedonthelogicoftheplugin,thePluginEngineconnectstothetargetmachineandperformstheaction.PassChng.exeCPMTargetPMWindows.dllCANetPluginInvokerCyberArk.Extensions.Plugin.Azure.dllPMTerminal/TPCUnixProcess.iniUnixPrompts.iniSensitiveInformationNon-SensitiveInformationCPMActionArchitectureandflowPMTerminalinvokesthelogicintherelevantplugin.WhenmanagingSSHdevicesPMTerminalspawnsplink,aterminalemulator(CLIPuTTy)plinkconnectstothetargetmachineusingSSH.PMTerminalinteractswiththeplinkusingasharedbufferinthemachine’smemoryPMTerminalCPMplink.exeLoginas:\nPassword:\nroot@centos$SharedBufferUnixSSHProcess.iniUnixSSHPrompts.iniPluginPMTerminalarchitectureandFlowtargetTPCinvokesthelogicintherelevantplugin.UnlikePMTerminal,TheconnectionoverSSHisnotdoneusingplink.Instead,TPCusesalibrary(SSH.NET)thatfunctionsasaterminalemulator.ForbackwardcompatibilitywithPMTerminalplugins,instructionsinthepluginforlaunchingplinkremainthesame.TPC(SSH.NETlibrary)CPMTargetUnixSSHProcess.iniUnixSSHPrompts.iniPluginTPCarchitectureandFlow
Cpmactions
InthissectionwewilllookattheCPMactionsthattakeplaceinthebackendbetweentheCPMandthePluginEngine:VerifypassLogonChangepassPrereconcilepassReconcilepassVerifyPassLogonChangePassPreReconcilePassReconcilePassCPMActions(BehindtheScenes)VerifytheExistingPasswordPluginEngineCPMTargetVerifyPassLogonwithCurrentCredentialsSuccessorFailurePromptverifyVerifytheExistingPasswordGenerateaNewPasswordChangethePasswordPluginEngineCPMTargetLogonLogonwithCurrentCredentialsSuccessorFailureLogonwithCurrentCredentialsGenerateNewPasswordPromptPromptPromptSuccessorFailureChangePasswordPromptChangePassLogonwithNewCredentialschangeVerifytheReconcilePasswordGenerateaNewPasswordReconcilethePasswordPluginEngineCPMTargetPreReconcilePassLogonwithReconcileCredentialsSuccessorFailureLogonwithReconcileCredentialsGenerateNewPasswordPromptPromptPromptSuccessorFailureReconcileAccountPasswordPromptReconcilePassLogonwithNewCredentialsreconcileInthissectionwewilltakealookattheinformationsentfromtheCPMtothepluginengine:SensitiveinformationNon-sensitiveinformation
Sensitiveandnon-sensitiveinformationInordertomanagepasswordstheCPMneedstoprovidethePluginEnginewiththefollowinginformation:CPMActionNon-SensitiveInformationSensitiveInformationNon-SensitiveInformationreferstopropertiesfromthetargetaccount,linkedaccountsandplatform(additionalpolicysettings).SensitiveInformationreferstocredentialsCurrentPassword-pmpassNewPassword-pmnewpassLogonPassword–pmextrapass1ReconcilePassword–pmextrapass3SensitiveInformationNon-SensitiveInformationPluginEngineIPAddressUsernameLogonReconcilePortPluginVerifyPassLogonChangePassPreReconcoileReconcilePassCPMActionSensitiveandnon-sensitiveinformationSensitiveinformationSensitiveinformationSensitiveInformationreferstocredentials:TargetaccountpasswordTargetaccountnewpasswordLinkedaccounts’passwordsTheCPMsetsthesecredentialsasenvironmentalvariablesinmemory,makingthemavailableonlytotherelevantPluginEngineprocess.VariableCredentials%pmpass%TargetAccountcurrentpassword%pmnewpass%TargetAccountnewpassword%pmextrapass1%Linkedaccount1password%pmextrapass3
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 工业互联网平台网络安全态势感知技术安全态势感知与安全防护技术创新报告2025
- 2025年六盘水市重点中学八年级英语第二学期期中复习检测模拟试题含答案
- 制造业数字化转型数据治理策略与能源管理的优化报告
- 2025年元宇宙社交平台隐私保护与用户体验研究报告
- 社交媒体舆情监测与2025年危机公关技术应用研究指南与实践案例分析指南报告001
- 2025年单身经济下小型家电市场消费者购买偏好研究报告
- 2025年医药行业市场准入政策与监管趋势报告
- 2025年医药企业研发外包(CRO)与临床试验结果转化报告
- 2025年短视频平台内容监管与网络素养提升策略报告
- 2025年医药流通行业供应链优化与成本控制中的供应链协同效应提升策略报告
- 校长在2025暑假前期末教师大会上的讲话:静水深流脚踏实地
- 2025春季学期国开电大本科《理工英语3》一平台在线形考综合测试(形考任务)试题及答案
- 新22J01 工程做法图集
- 2024秋期国家开放大学本科《经济学(本)》一平台在线形考(形考任务1至6)试题及答案
- 2022-2023学年安徽省阜阳市高一下学期期末教学质量统测数学试卷(解析版)
- 消防改造工程技术标书模板
- 磷化膜质量评定项目与方法
- 贷款申请表(标准模版)
- 合理应用喹诺酮类抗菌药物专家共识精品课件
- 中医内科试题及答案 400题-高级职称(七)(过关必做)
- 在挫折中成长(课堂PPT)
评论
0/150
提交评论