Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Norbert_Bohusch
Advisor

CyberArk - PSM Connection Component - SmartConsole + Gaia

I managed to automate login for SmartConsole and Gaia for the CyberArk PSM. I developed it with R80.20.M2 but I assume it should work for all R80.x versions.

It writes login information into a temporary file of the PSM Shadow User and uses the CLI parameter -p to read this file. The temporary file is deleted directly after logon. (reference: Command Line Arguments to R80.10 SmartConsole.exe)

It should be remembered that everybody with access to the PSM and the rights needed to open the PSM Shadow Users Temp directory, might see the credentials during the logon process!

The platform which uses the connection needs the following parameters:

- username = SmartConsole User

- address = IP/FQDN of Check Point Management

- domain (optional) = Domain for MDM

If the SmartConsole User is configured to use "OS Password" and is configured on Gaia, the CyberArk preintegrated CPM plugin for Gaia-SSH can be also used to manage this account!

I also configured a PSM-WebApp for Chrome by using the following WebForm Settings:

LogonURL = "https://{address}:{WebUI_Port}"

WebFromFields:

txtUserName > {Username}

txtPwd > {Password}

login_button > (Button)

top_panel_user_name1 > (Validation)

Some things are to consider for the SmartConsole login procedure:

1. Fingerprint on first login

Currently I am blocking user input on logon. As the window with fingerprint can not be differentiated from the normal loading sequence, I am waiting 10 seconds before discovering the window and then press "Enter" to accept the fingerprint (if it is there).

This is OK in my tests but might cause troubles with slow connections.

Another solution would be to unblock the user input and let the user choose. 

Or even better, if there was a way to put the fingerprint into the account in CyberArk and put it automaticall in the LoginParms file to only allow login to a management with correct fingerprint. -> question is: is this possible?

2. MDM

As the user input is blocked, someone is not able to choose the "Login Domain". Therefor it has to be supplied on the account with the "domain" parameter beforehand.

There are 2 possibilites to achieve this:

  1. have multiple accounts in CyberArk with different "domain" parameters. So one with MDS, one with Global, and others with the domain names. And then put them in a group and manage the whole group through CyberArk.
  2. allow user input in CyberArk to choose the domain like for Windows Domain accounts with the target machine
  3. unblock user input and let the user choose, considering the component might timeout in this process

change from 30.1.:

I found an issue with MDM part and fixed it.

I also integrated the possiblity to use PSMRemoteMachine parameter instead of domain parameter, so a picker can be used to choose the domain.

(1)
22 Replies
Aleksandr
Explorer

Hello Norbert !

Very helpful article and also connector... We need to test it for one of our implementation... But after we tried to use it, we found that 4 addition scripts required: PSMGenericClientWrapper.au3BlockInputEx.au3File.au3FileConstants.au3... We didn`t see them in archive "SmartConsole-R80.20.M2.au3.zip " which u provided... So where we can find them? Connector failed to work without them.

Thank you in advance!

Kind regards,

Rozdaibida Aleksandr

0 Kudos
Aleksandr
Explorer

Hello Norbert !

Sorry, I was mistaken, BlockInputEx.au3 was missed in my components folder. Everything working perfectly. Many thanks

Kind regards,

Rozdaibida Oleksandr

0 Kudos
haniffnordin
Explorer

Hi Aleksandr,

 

May I know where you got these BlockInputEx.au3File.au3FileConstants.au3 files?

and how you import SmartConsole-R80.20.M2.au3.zip connector inside Cyberark?

 

best regards.

0 Kudos
Bart_Leysen
Contributor

Hi Norbert,

I'm using R80.30, and it's almost working.

PSM is giving me an error

PSMSR126E [ff51ee50-b91d-4b96-95f4-7c3ff1d98f4b] Failure occurred while handling session. PSMSR605E [ff51ee50-b91d-4b96-95f4-7c3ff1d98f4b] Error occurred while waiting for the dispatcher to communicate (Error details: [PSMSR606E [ff51ee50-b91d-4b96-95f4-7c3ff1d98f4b] Timeout occurred while waiting for a specific component to end])

 

Any idea what the issue could be?

 

Thank you

Bart

 

0 Kudos
Norbert_Bohusch
Advisor

Hi Bart,
what would you expect for other files?
It is not a platform to be imported as is but manual work needed to implement it in current state...
0 Kudos
Bart_Leysen
Contributor

Hi Norbert,

 

Sorry for the confusion, i managed to have almost working.

It seems that the PSM is generating an error. It looks like a timeout.

We are using R80.30.

PSMSR126E [adaa7407-d8cc-4b10-88d3-b2caa9461fa2] Failure occurred while handling session. PSMSR605E [adaa7407-d8cc-4b10-88d3-b2caa9461fa2] Error occurred while waiting for the dispatcher to communicate (Error details: [PSMSR606E [adaa7407-d8cc-4b10-88d3-b2caa9461fa2] Timeout occurred while waiting for a specific component to end])

 

Any idea?

 

Thank you

Bart

 

0 Kudos
Norbert_Bohusch
Advisor

there are many things to consider:
- paths of installed SmartConsole
- applocker if configured
and so on...
0 Kudos
Bart_Leysen
Contributor

The path is correct, because the application is opening.

Also applocker is not yet configured.

 

 

SCR80.30.JPG

0 Kudos
Bart_Leysen
Contributor

What i did notice is that the tooltop below stays at the screen for a very long time.

 

ToolTip ("Starting " & $DISPATCHER_NAME & "...")

 

 

0 Kudos
Norbert_Bohusch
Advisor

The issue is that with R80.20.M2 the window title was in different layout then it is now.
Please change the following in the function "LoginProcess":

Click to Expand
Local $TITLE2 = "SmartConsole (" & $TargetAddress & ")"
if ($TargetDomain <> "") Then
$TITLE2 = "SmartConsole - " & $TargetDomain
AutoItSetOption("WinTitleMatchMode", 1) ; Match partial from the start
EndIf

to:

Click to Expand
Local $TITLE2 = $TargetAddress & " - SmartConsole"
if ($TargetDomain <> "") Then
$TITLE2 = $TargetDomain & " (" & $TargetAddress & ") - SmartConsole"
AutoItSetOption("WinTitleMatchMode", 1) ; Match partial from the start
EndIf

 

0 Kudos
Bart_Leysen
Contributor

Hi Norbert,

 

Thank you for this, but it was still failing.

It was pointing me into the direction to get it working.

I commented everything for $TITLE2

So my loginProcess function now looks like below.

This is working for me.

 

Func LoginProcess()
LogWrite("START -> LoginProcess()")

; Titles
Local $TITLE1 = "Check Point SmartConsole"
;~ Local $TITLE2 = $TargetAddress & " - SmartConsole"
;~ if ($TargetDomain <> "") Then
;~ $TITLE2 = $TargetDomain & " (" & $TargetAddress & ") - SmartConsole"
;~ AutoItSetOption("WinTitleMatchMode", 1) ; Match partial from the start
;~ EndIf


;Local $TITLE2 = "SmartConsole (" & $TargetAddress & ")"
;if ($TargetDomain <> "") Then
; $TITLE2 = "SmartConsole - " & $TargetDomain
; AutoItSetOption("WinTitleMatchMode", 1) ; Match partial from the start
;EndIf

; Check for fingerprint information
LogWrite("Check for fingerprint information")
sleep(10000)
WinActivate($TITLE1)
sleep($sleep)
Local $hwind1 = WinWaitActive($TITLE1,"",20)
If ($hwind1 <> 0) Then
ControlSend($TITLE1, "", "", "{ENTER}")
endIf

; delete login parameter file
LogWrite("deleting login parameters file")
FileDelete($LOGIN_PARMS_FILE)

LogWrite("Wait for application to load")
; SmartConsole - Login Windows
;~ WinActivate($TITLE2);
;~ sleep($sleep)
;~ WinWaitActive($TITLE2);

;~ $ConnectionClientPID = WinGetProcess($TITLE2)

LogWrite("END -> LoginProcess()")
EndFunc

0 Kudos
Norbert_Bohusch
Advisor

If you commented that out, then you have no capturing of the PID of the last window and sending wrong pid to PSM for recording...
I assume then recording will not work 😉
0 Kudos
Bart_Leysen
Contributor

The funny thing is, recording is working.

I can do a live view, of my work 🙂

 

0 Kudos
Bart_Leysen
Contributor

Hi Norbert,

We now upgraded to R81.10, but it seems that the script isn't working anymore, any idea what i need to change except the path of smartconsole?

#AutoIt3Wrapper_UseX64=n
Opt("MustDeclareVars", 1)
AutoItSetOption("WinTitleMatchMode", 3) ; Exact title match

;==========================================================================
; PSM Universal Connector - Check Point SmartConsole Dispatcher
; -----------------------------------------
; Vendor: Check Point
; Product: SmartConsole
; Version: R80.30
; Creator: Norbert Bohusch, Bacher Systems EDV GmbH
;==========================================================================

#include "PSMGenericClientWrapper.au3"
#include <BlockInputEx.au3>
#include <File.au3>
#include "FileConstants.au3"


;=======================================
; Consts & Globals
;=======================================
Global Const $DISPATCHER_NAME = "Check Point SmartConsole"
Global Const $LOGIN_PARMS_FILE = "" & @TempDir & "\SmartConsole.LoginParams" & "" ; Temporary Login Parameters File in TEMP folder
Global Const $CLIENT_EXECUTABLE = """C:\Program Files (x86)\CheckPoint\SmartConsole\R81.10\PROGRAM\SmartConsole.exe"" -p " & $LOGIN_PARMS_FILE ; CHANGE_ME - change if installed in different path


Global Const $ERROR_MESSAGE_TITLE = "PSM " & $DISPATCHER_NAME & " Dispatcher error message"
Global Const $LOG_MESSAGE_PREFIX = $DISPATCHER_NAME & " Dispatcher - "

Global $TargetUsername ; Will be fetched from the PSM session
Global $TargetPassword ; Will be fetched from the PSM session
Global $TargetAddress ; Will be fetched from the PSM session
Global $TargetDomain ; Will be fetched from the PSM session

Global $ConnectionClientPID = 0
Global Const $sleep = 1000

;=======================================
; Code
;=======================================
Exit Main()

;=======================================
; Main
;=======================================
Func Main()
; Init PSM Dispatcher utils wrapper
ToolTip ("Initializing...")
if (PSMGenericClient_Init() <> $PSM_ERROR_SUCCESS) Then
Error(PSMGenericClient_PSMGetLastErrorString())
EndIf

LogWrite("successfully initialized Dispatcher Utils Wrapper")

; Get the dispatcher parameters
FetchSessionProperties()

_BlockInputEx(1) ; Block all

; Write Login Parameter File
ToolTip ("Writing login parameter file...")

Local Const $hFile = FileOpen($LOGIN_PARMS_FILE, $FO_OVERWRITE)
;LogWrite("Opened File: " & $LOGIN_PARMS_FILE)
LogWrite("writing login parameter file")

FileWrite($hFile, "<?xml version=""1.0"" encoding=""utf-8""?>" & @CRLF)
FileWrite($hFile, "<RemoteLaunchParemeters xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"">" & @CRLF)
FileWrite($hFile, "<Username>" & $TargetUsername & "</Username>" & @CRLF)
FileWrite($hFile, "<ServerIP>" & $TargetAddress & "</ServerIP>" & @CRLF)
FileWrite($hFile, "<Password>" & $TargetPassword & "</Password>" & @CRLF)
FileWrite($hFile, "<DomainName>" & $TargetDomain & "</DomainName>" & @CRLF)
FileWrite($hFile, "</RemoteLaunchParemeters>")
FileClose($hFile)


; Run exe and activate
LogWrite("starting client application: " & $CLIENT_EXECUTABLE)
ToolTip ("Starting " & $DISPATCHER_NAME & "...")
$ConnectionClientPID = Run($CLIENT_EXECUTABLE, "", @SW_MAXIMIZE)
If ($ConnectionClientPID == 0) Then
Error(StringFormat("Failed to execute process [%s]", $CLIENT_EXECUTABLE, @error))
EndIf

LoginProcess()
_BlockInputEx(0) ; Unblock all

 

; Send PID to PSM as early as possible so recording/monitoring can begin
LogWrite("sending PID to PSM")
if (PSMGenericClient_SendPID($ConnectionClientPID) <> $PSM_ERROR_SUCCESS) Then
Error(PSMGenericClient_PSMGetLastErrorString())
EndIf


; Terminate PSM Dispatcher utils wrapper
LogWrite("Terminating Dispatcher Utils Wrapper")
PSMGenericClient_Term()

Return $PSM_ERROR_SUCCESS
EndFunc

Func LoginProcess()
LogWrite("START -> LoginProcess()")

; Titles
Local $TITLE1 = "Check Point SmartConsole"
; Local $TITLE2 = $TargetAddress & " - SmartConsole"
; if ($TargetDomain <> "") Then
; $TITLE2 = $TargetDomain & " (" & $TargetAddress & ") - SmartConsole"
; AutoItSetOption("WinTitleMatchMode", 1) ; Match partial from the start
; EndIf


;Local $TITLE2 = "SmartConsole (" & $TargetAddress & ")"
;if ($TargetDomain <> "") Then
; $TITLE2 = "SmartConsole - " & $TargetDomain
; AutoItSetOption("WinTitleMatchMode", 1) ; Match partial from the start
;EndIf

; Check for fingerprint information
LogWrite("Check for fingerprint information")
sleep(10000)
WinActivate($TITLE1)
sleep($sleep)
Local $hwind1 = WinWaitActive($TITLE1,"",20)
If ($hwind1 <> 0) Then
ControlSend($TITLE1, "", "", "{ENTER}")
endIf

; delete login parameter file
LogWrite("deleting login parameters file")
FileDelete($LOGIN_PARMS_FILE)

LogWrite("Wait for application to load")
; SmartConsole - Login Windows
;~ WinActivate($TITLE2);
;~ sleep($sleep)
;~ WinWaitActive($TITLE2);

;~ $ConnectionClientPID = WinGetProcess($TITLE2)

LogWrite("END -> LoginProcess()")
EndFunc

 

;==================================
; Functions
;==================================

; #FUNCTION# ====================================================================================================================
; Name...........: Error
; Description ...: An exception handler - displays an error message and terminates the dispatcher
; Parameters ....: $ErrorMessage - Error message to display
; $Code - [Optional] Exit error code
; ===============================================================================================================================
Func Error($ErrorMessage, $Code = -1)

; If the dispatcher utils DLL was already initialized, write an error log message and terminate the wrapper
if (PSMGenericClient_IsInitialized()) Then
LogWrite($ErrorMessage, True)
PSMGenericClient_Term()
EndIf

Local $MessageFlags = BitOr(0, 16, 262144) ; 0=OK button, 16=Stop-sign icon, 262144=MsgBox has top-most attribute set

MsgBox($MessageFlags, $ERROR_MESSAGE_TITLE, $ErrorMessage)

; If the connection component was already invoked, terminate it
if ($ConnectionClientPID <> 0) Then
ProcessClose($ConnectionClientPID)
$ConnectionClientPID = 0
EndIf

Exit $Code
EndFunc


; #FUNCTION# ====================================================================================================================
; Name...........: LogWrite
; Description ...: Write a PSMWinSCPDispatcher log message to standard PSM log file
; Parameters ....: $sMessage - [IN] The message to write
; $LogLevel - [Optional] [IN] Defined if the message should be handled as an error message or as a trace messge
; Return values .: $PSM_ERROR_SUCCESS - Success, otherwise error - Use PSMGenericClient_PSMGetLastErrorString for details.
; ===============================================================================================================================
Func LogWrite($sMessage, $LogLevel = $LOG_LEVEL_TRACE)
Return PSMGenericClient_LogWrite($LOG_MESSAGE_PREFIX & $sMessage, $LogLevel)
EndFunc


; #FUNCTION# ====================================================================================================================
; Name...........: PSMGenericClient_GetSessionProperty
; Description ...: Fetches properties required for the session
; Parameters ....: None
; Return values .: None
; ===============================================================================================================================
Func FetchSessionProperties()
Local $ErrorPrefix="Connector failed to retrieve value of attribute:"

if (PSMGenericClient_GetSessionProperty("Address", $TargetAddress) <> $PSM_ERROR_SUCCESS) Then
Error($ErrorPrefix&"Address")
EndIf

if (PSMGenericClient_GetSessionProperty("Username", $TargetUsername) <> $PSM_ERROR_SUCCESS) Then
Error($ErrorPrefix&"Username")
EndIf

if (PSMGenericClient_GetSessionProperty("Password", $TargetPassword) <> $PSM_ERROR_SUCCESS) Then
Error($ErrorPrefix&"Password")
EndIf
if (PSMGenericClient_GetSessionProperty("Address", $TargetAddress) <> $PSM_ERROR_SUCCESS) Then
Error($ErrorPrefix&"Address")
EndIf

if (PSMGenericClient_GetSessionProperty("Username", $TargetUsername) <> $PSM_ERROR_SUCCESS) Then
Error($ErrorPrefix&"Username")
EndIf

if (PSMGenericClient_GetSessionProperty("PSMRemoteMachine", $TargetDomain) <> $PSM_ERROR_SUCCESS) Then
if (PSMGenericClient_GetSessionProperty("Domain", $TargetDomain) <> $PSM_ERROR_SUCCESS) Then
$TargetDomain=""
EndIf
EndIf
EndFunc

0 Kudos
Bart_Leysen
Contributor

Hi Norbert,

We now upgraded to R81.10, but it seems that the script isn't working anymore, any idea what i need to change except the path of smartconsole?

0 Kudos
Norbert_Bohusch
Advisor

Hi,

unfortunately Check Point removed the possibility to start SmartConsole with a XML in clear-text in R81. 

https://community.checkpoint.com/t5/Management/R81-SmartConsole-config-file-doesn-t-work/m-p/112464/...

So this is CyberArk Connection Component not working anymore.

0 Kudos
Bart_Leysen
Contributor

That's very unfortunate, so there is no way to get this working with CyberArk again.

 

Thank you very much for your answer Norbert, it's very much appriciated.

0 Kudos
Norbert_Bohusch
Advisor

At least not in this way with XML file.

By using tabulator key and jumping to fields of login, should be possible, but is not that stable typically....

0 Kudos
omarPadilla
Explorer

Hi Norbet,

The script you generated still works for me, very good input. But when I try to add a New Tab, I get Error loading tab - Error: Aborted. Any ideas about it. I would appreciate.

Greetings.Error.PNG

0 Kudos
SkipperNavy
Contributor

Hi Omar,this a bout Applocker.

You hae to allow this process SMARTVIEWBROWSER.EXE  in the configapplocker script.

 

Regards

0 Kudos
Omar_Gonzalez
Explorer

Hi Norbert, grate IoT file, i have configure it to work with R80,30, but anyone know how to turn off the “Whats New” SmartConsole Window completely? this window does not let me click anywhere else when PSM starts the connection. thanks for the info. 

0 Kudos
omarPadilla
Explorer

Hi Norbet,

The script you generated still works for me, very good input. But when I try to add a New Tab, I get Error loading tab - Error: Aborted. Any ideas about it. I would appreciate.

Greetings.Error.PNG

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events