




版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
pascustomizationCPMPluginsandPluginEnginesBytheendofthissessionyouwillbeableto:DescribebasicCPMPluginsandPluginEnginesfunctionality,architectureandflowDescribethemaindifferencesbetweenPMTerminalandTPCDescribebackendCPMActionsDescribeandcapturetheCPMParameterFileLessonObjectives2Inthissectionwewillreview:CPMActionsLinkedAccountspasswordmanagement
review4CyberArkPrivilegedAccessSecurityCentralPolicyManagerSystemUserPassUnixrootOracleSYSWindowsAdministratorz/OSDB2ADMINCiscoenabletops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3tTojsd$5fhtops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3tgviNa9%Im7yT%wy7qeF$1X5$aq+pTheCPMmanagespasswords,SSHKeysandothersecretsbasedonthepoliciessetbyVaultAdministratorsThereare3passwordmanagementactionsperformedbyCPM:Verify,ChangeandReconcilePasswordmanagementisperformedbythecpmPolicyITEnvironmentVerifyprocessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingcurrentcredentialsSuccessorfailureChangeProcessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingcurrentcredentialsSuccessorfailureGenerate
PasswordConnect&runchangepasswordSuccessorfailureLoginusingnewcredentialsSuccessorfailureStorenewcredentialsreconcileProcessVaultCPMTargetAccountInfo&CurrentPasswordsScanVaultforAccountLoginusingreconcilecredentialsSuccessorfailureGenerate
PasswordConnectwithreconcileaccount&runpasswordresetSuccessorfailureLoginusingnewcredentialsSuccessorfailureStorenewcredentialsTherearetwolinkedaccountsthatarecommonlyusedbytheCPMtomanagepasswords,SSHkeysandandothersecrets.Asidefromthesetwoaccountstherecanbeusecasesthatrequirecustomlinkedaccounts.LinkedaccountsUsedwhenthetargetaccountispreventedfromloggingonandthepasswordisknownUsedonaregularbasis–i.e.,itiscommontoblockrootaccessviaSSHA‘superuser’suchasrootshouldnotbeusedasalogonaccountLogonAccountUsedwhenthetargetaccountpasswordis‘lost’orunknownShouldbeusedinfrequentlyNeedstohaveelevatedprivileges(i.e.DomainAdmin)ThisaccountisusuallyaserviceaccountreservedforthispurposeReconcileAccountPluginsandPluginenginesInthissectionwewillcoverthefourPluginEngines:PassChangCANetPluginInvokerPMTerminalTerminalPluginController(TPC)PluginEnginesaretheapplicationsthatperformpasswordmanagementactionsonbehalfoftheCPM.Pluginenginesmanagepasswordsbasedonlogicwrittenandcompiledinplugins.TheCPMdetermineswhichpluginandwhichpluginenginetorunbasedonthePlatformsettings.PassChngCANetPluginInvokerPMTerminalTPCPluginsandPluginenginesPassChngPassChng.exeisthedefaultPluginEngine.PassChngexecutesthelogicinpluginsthatarewritteninCandcompiledasDLLfiles,e.g:PMWindows.dllPMWinService.dllPMODBC.dllPassChngcustomizationPassChngdoesnotprovideaframeworkforcreatingnewplugins.Thatsaid,insomecases,youcancustomizeanexistingplatformtosupportnewdeviceswithouthavingtocreateormodifythepluginitself.E.g.,OracleDatabasewhichusesthePMODBC.dllplugin,cansupportanyODBCcompliantdatabasebycustomizingthepasswordmanagementcommandsattheplatformlevel.CANETPluginInvokerCANetPluginInvoker.exeprimarilyenablesCPMtomanagecredentialsusingAPIs(e.g.AWS,Azure)CANetPluginInviker.exeexecutesthelogicinpluginsthatarewrittenin.NETandcompiledasDLLfiles,e.g:AWSpluginMicrosoftAzurepluginWebApplicationsCANetPluginInvoker(Credentials
Management
.NET
SDK)customizationTheCredentialsManagement.NETSDKframeworkisdesignedtofacilitateaneasywaytocreatenewCPMplug-insin.NETTocreateanewproject,openthetemplateprovidedintheCyberArkMarketplaceorcreateanewprojectasdescribedintheonlinedocumentation.PMTerminal
andtpcPMTerminalisresponsibleformanagingcredentialsinTerminalbasedDevicesusingSSHorTelnet.TPCisgraduallyreplacingPMTerminalwithanewCPMPlugininfrastructure.AsidefromTerminaldevices,PMTerminalandTPCsupportpluginsthatarebasedon:PythonPowerShellcScriptInthistrainingwewillfocusonmanagingTerminaldevicesusingSSH.PMTerminalandTPC(TERMINALPLUGINCONNECTOR)PMTerminalandTPCfunctionasbothaframeworkforcreatingstatemachineplugins,andasanengineforrunningtheseplugins(interpreter).PMTerminalandTPCpluginsaremadeupoftwofiles:a
Prompts
file.a
Process
file.TheProcessandPromptscontainthelogicformanagingpasswordsinterminalbaseddevices,intheformofastatemachine.DevelopingpluginsforPMTerminalandTPCistodeveloptheprocessandpromptsfiles.PLUGINSandCUSTOMIZATIONSystemRequirementsforTPCare:CPMv9.7orhigher.NET4.5.2TPCisProvidedoutoftheboxfromCorePASv10.4.TPCv11.2supportsalloutoftheboxplatformspreviouslysupportedbyPMTerminal.PMTerminalwilleEOLonSeptember2020.PMTerminalTPCPerformance1Unixaccountin45seconds97Unixaccountsin30minutes1Unixaccountin4seconds1500Unixaccountsin30minutesSecurityRequiresexceptionstoMicrosoftDataExecutionPrevention(DEP)andotherSecuritysoftwaresuchasAntivirusDoesnotrequireexceptionstoDEPorothersecuritySoftwareLanguageTCL.NETTPCvsPMTerminalEnginesandplugins
ArchitectureandflowWhentheCPMneedstoperformanactionitspawnsanewprocessoftherelevantPluginEngine,providingtheenginewith:CPMActionSensitiveInformationNon-SensitiveInformationThePluginEngineinvokesthelogicofaplugin.Basedonthelogicoftheplugin,thePluginEngineconnectstothetargetmachineandperformstheaction.PluginEngineCPMTargetPluginSensitiveInformationNon-SensitiveInformationCPMActionArchitectureandflowWhentheCPMneedstoperformanactionitspawnsanewprocessoftherelevantPluginEngine,providingtheenginewith:CPMActionSensitiveInformationNon-SensitiveInformationThePluginEngineinvokesthelogicofaplugin.Basedonthelogicoftheplugin,thePluginEngineconnectstothetargetmachineandperformstheaction.PassChng.exeCPMTargetPMWindows.dllCANetPluginInvokerCyberArk.Extensions.Plugin.Azure.dllPMTerminal/TPCUnixProcess.iniUnixPrompts.iniSensitiveInformationNon-SensitiveInformationCPMActionArchitectureandflowPMTerminalinvokesthelogicintherelevantplugin.WhenmanagingSSHdevicesPMTerminalspawnsplink,aterminalemulator(CLIPuTTy)plinkconnectstothetargetmachineusingSSH.PMTerminalinteractswiththeplinkusingasharedbufferinthemachine’smemoryPMTerminalCPMplink.exeLoginas:\nPassword:\nroot@centos$SharedBufferUnixSSHProcess.iniUnixSSHPrompts.iniPluginPMTerminalarchitectureandFlowtargetTPCinvokesthelogicintherelevantplugin.UnlikePMTerminal,TheconnectionoverSSHisnotdoneusingplink.Instead,TPCusesalibrary(SSH.NET)thatfunctionsasaterminalemulator.ForbackwardcompatibilitywithPMTerminalplugins,instructionsinthepluginforlaunchingplinkremainthesame.TPC(SSH.NETlibrary)CPMTargetUnixSSHProcess.iniUnixSSHPrompts.iniPluginTPCarchitectureandFlow
Cpmactions
InthissectionwewilllookattheCPMactionsthattakeplaceinthebackendbetweentheCPMandthePluginEngine:VerifypassLogonChangepassPrereconcilepassReconcilepassVerifyPassLogonChangePassPreReconcilePassReconcilePassCPMActions(BehindtheScenes)VerifytheExistingPasswordPluginEngineCPMTargetVerifyPassLogonwithCurrentCredentialsSuccessorFailurePromptverifyVerifytheExistingPasswordGenerateaNewPasswordChangethePasswordPluginEngineCPMTargetLogonLogonwithCurrentCredentialsSuccessorFailureLogonwithCurrentCredentialsGenerateNewPasswordPromptPromptPromptSuccessorFailureChangePasswordPromptChangePassLogonwithNewCredentialschangeVerifytheReconcilePasswordGenerateaNewPasswordReconcilethePasswordPluginEngineCPMTargetPreReconcilePassLogonwithReconcileCredentialsSuccessorFailureLogonwithReconcileCredentialsGenerateNewPasswordPromptPromptPromptSuccessorFailureReconcileAccountPasswordPromptReconcilePassLogonwithNewCredentialsreconcileInthissectionwewilltakealookattheinformationsentfromtheCPMtothepluginengine:SensitiveinformationNon-sensitiveinformation
Sensitiveandnon-sensitiveinformationInordertomanagepasswordstheCPMneedstoprovidethePluginEnginewiththefollowinginformation:CPMActionNon-SensitiveInformationSensitiveInformationNon-SensitiveInformationreferstopropertiesfromthetargetaccount,linkedaccountsandplatform(additionalpolicysettings).SensitiveInformationreferstocredentialsCurrentPassword-pmpassNewPassword-pmnewpassLogonPassword–pmextrapass1ReconcilePassword–pmextrapass3SensitiveInformationNon-SensitiveInformationPluginEngineIPAddressUsernameLogonReconcilePortPluginVerifyPassLogonChangePassPreReconcoileReconcilePassCPMActionSensitiveandnon-sensitiveinformationSensitiveinformationSensitiveinformationSensitiveInformationreferstocredentials:TargetaccountpasswordTargetaccountnewpasswordLinkedaccounts’passwordsTheCPMsetsthesecredentialsasenvironmentalvariablesinmemory,makingthemavailableonlytotherelevantPluginEngineprocess.VariableCredentials%pmpass%TargetAccountcurrentpassword%pmnewpass%TargetAccountnewpassword%pmextrapass1%Linkedaccount1password%pmextrapass3
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- DB22-T 3629.4-2025 公共机构能耗定额 第4部分:场馆类
- 娱乐场所场地租赁合同安全保障与消防管理协议
- 高端写字楼车位租赁与转让执行合同
- 餐饮店员工离职补偿及竞业禁止协议
- 2025年初中物理八年级下册(沪科版)教学课件 第十章 第二节
- 2025年房地产经营管理考试试题及答案
- 2025年城市规划师资格考试试题及答案
- 桂花雨 课时作业 含答案 统编五年级上册新课标核心素养目标
- 毒理学基础课程教学大纲
- 工程创优策划
- 合同法-005-国开机考复习资料
- 系统思维与系统决策:系统动力学(中央财经大学)知到智慧树章节答案
- 中学篮球社团教案全套
- 湖北省部分高中2025届高三上学期11月(期中)联考语文试题(含答案)
- 2024秋期国家开放大学本科《经济学(本)》一平台在线形考(形考任务1至6)试题及答案
- 2024版《大学生职业生涯规划与就业指导》 课程教案
- 北师大版五年级下册解方程练习100道及答案
- 五年级上册数学培优奥数讲义-第15讲 余数定理
- 职业素质养成(吉林交通职业技术学院)智慧树知到答案2024年吉林交通职业技术学院
- 初中化学课程标准(2022年版)考试题库(含答案)
- 工程造价咨询服务入围供应商招标文件模板
评论
0/150
提交评论