Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Norbert_Bohusch
Advisor

CyberArk - PSM Connection Component - SmartConsole + Gaia

I managed to automate login for SmartConsole and Gaia for the CyberArk PSM. I developed it with R80.20.M2 but I assume it should work for all R80.x versions.

It writes login information into a temporary file of the PSM Shadow User and uses the CLI parameter -p to read this file. The temporary file is deleted directly after logon. (reference: Command Line Arguments to R80.10 SmartConsole.exe)

It should be remembered that everybody with access to the PSM and the rights needed to open the PSM Shadow Users Temp directory, might see the credentials during the logon process!

The platform which uses the connection needs the following parameters:

- username = SmartConsole User

- address = IP/FQDN of Check Point Management

- domain (optional) = Domain for MDM

If the SmartConsole User is configured to use "OS Password" and is configured on Gaia, the CyberArk preintegrated CPM plugin for Gaia-SSH can be also used to manage this account!

I also configured a PSM-WebApp for Chrome by using the following WebForm Settings:

LogonURL = "https://{address}:{WebUI_Port}"

WebFromFields:

txtUserName > {Username}

txtPwd > {Password}

login_button > (Button)

top_panel_user_name1 > (Validation)

Some things are to consider for the SmartConsole login procedure:

1. Fingerprint on first login

Currently I am blocking user input on logon. As the window with fingerprint can not be differentiated from the normal loading sequence, I am waiting 10 seconds before discovering the window and then press "Enter" to accept the fingerprint (if it is there).

This is OK in my tests but might cause troubles with slow connections.

Another solution would be to unblock the user input and let the user choose. 

Or even better, if there was a way to put the fingerprint into the account in CyberArk and put it automaticall in the LoginParms file to only allow login to a management with correct fingerprint. -> question is: is this possible?

2. MDM

As the user input is blocked, someone is not able to choose the "Login Domain". Therefor it has to be supplied on the account with the "domain" parameter beforehand.

There are 2 possibilites to achieve this:

  1. have multiple accounts in CyberArk with different "domain" parameters. So one with MDS, one with Global, and others with the domain names. And then put them in a group and manage the whole group through CyberArk.
  2. allow user input in CyberArk to choose the domain like for Windows Domain accounts with the target machine
  3. unblock user input and let the user choose, considering the component might timeout in this process

change from 30.1.:

I found an issue with MDM part and fixed it.

I also integrated the possiblity to use PSMRemoteMachine parameter instead of domain parameter, so a picker can be used to choose the domain.

(1)
Who rated this post