The CPM is installed on a Windows system as an automatic system service called CyberArk Password Manager.
It can be stopped and started through the standard Windows service management tools.
-
From the Start menu, select Settings, then Control Panel.
-
From the list of Control Panel options, select Administrative Tools, then Services; the Services window appears.
-
Right-click CyberArk Password Manager, and select Stop.
-
From the Start menu, select Settings, then Control Panel.
-
From the list of Control Panel options, select Administrative Tools, then Services; the Services window appears.
-
Right-click CyberArk Password Manager, and select Start.
Diagram
Configure the Central Policy Manager
In addition to platforms, the CPM has its own configuration settings. This includes general parameters for the CPM, and extra parameters related to log files and email notifications. The configuration file containing the setting (cpm.ini) is created automatically during setup and stored in the Root folder of the <username> Safe, by default called the ‘PasswordManager’ Safe. Users can configure it through the ADMINISTRATION page.
To configure the CPM through the PVWA:
-
Log on to the PVWA with an Administrator user.
-
Click Administration > Configuration Options, and at the bottom, click CPM Settings.
-
In the left pane, click General, and enter the following information:
Interval parameters
Name
Description
Interval
Specify the number of minutes after which the CPM re-reads the list of platforms, in order to handle new platforms or remove deleted ones.
Email parameters
Specify the following email parameters so that the CPM can send error notifications to defined recipients. For more information, refer to Administration.
Name
Description
NotifyPeriod
The minimal interval in hours between email notifications.
NotifyOnlyOnError
Whether or not to send only error notifications.
AdminEmailAddress
The email address where email notifications will be sent.
SmtpServer
The IP address of the SMTP server.
SenderAddress
The email address where the email is sent from.
Subject
The subject title of the email.
Log parameters
Specify the following log parameters so that the CPM can save log files and upload them into the Vault. For more information, refer to Administration.
Name
Description
LogCheckPeriod
The interval in hours after which the log files will be uploaded to the Vault. After the log files are uploaded to the Vault, they are deleted from the CPM machine. This is relevant to the pm and pm_error log files. ThirdParty logs are not uploaded to the Vault and are copied to the Logs\Old\ThirdParty folder based on this interval.
LogSafeFolderName
The full name of the folder in the Safe where the log files will be saved.
LogSafeName
The name of the Safe where the log files will be saved.
Events parameters
Specify the following Events parameters so that the Password Vault Web Access will be able to display information about the CPM.
Name
Description
WriteStartCycleEvent
Whether or not the CPM will write an ‘I’m alive’ event each time it reads platforms from the CPM Safe. These events are written to the PasswordManager_Info Safe.
LogPasswordEvents
Whether or not the CPM will write a corresponding event each time it changes, verifies, or reconciles a password.
CopyPoliciesToCPMInfoSafe
Whether or not the CPM will copy platform files from the CPM Safe to the CPM information Safe each time it reads these files, so that they can be viewed by users in the PVWA.
DisableExceptionHandling
How the CPM will function when the system stops suddenly.
-
Yes – The CPM will pass control of exception handling to the operating system, resulting in crash dumps. This is the default value.
-
No – The CPM will log a system crash, but will not pass control to the operating system.
Auto-detection parameters
Specify the following auto-detection parameters to determine how the CPM will manage auto-detection processes.
Name
Description
ADPoolSize
The size of concurrent automatic detection processes being executed. Restart the CPM to apply this parameter.
AllowManualRequests
Whether or not CPM will search for auto-detection processes initiated manually by users.
ManualRequestsInterval
The time interval in minutes between searches for auto-detection processes initiated manually by users.
ManualRequestsRecoveryStartTime
The number of retroactive hours to search for auto-detection processes initiated manually by users.
Security parameters
Name
Description
VerifyEnginesSignatures Indicates whether CPM validates the integrity of the engines running the plugins using certificates.
-
-
Click Apply to apply the new configurations.
Scenarios for Check-in / Check-out / OTP
https://cyberark.my.site.com/s/article/Understanding-the-possible-One-Time-Password-Exclusive-and-Allow-Manual-Change-combinations
– Account is locked when retrieved.
One-time password & allow manual change (without exclusive):
-
Any changes to the master policy settings require the refresh interval of the CPM to pass or a restart of the Cyber Ark Password Manager Service
-
Also, check that the PasswordManagerUser has “unlock user” permissions.
-
The platform Interval setting also has an impact on when CPM will perform password changes. For details, see CPM – Password change time and reset immediately time frame, change now
Change password automatically by CPM
The CPM generates unique and highly secure passwords using the password policy and the random password generation mechanism. So, generally, passwords that are managed by the CPM do not require manual intervention.
Passwords are changed by the CPM in the following scenarios:
Scenario |
Description |
---|---|
Password expired |
The expiration period is configured in the Master Policy using the Require password change every X days rule. |
Request timeframe |
A user requests to connect to an account or display a password (dual-control) for a certain timeframe, and that request is approved. Once the timeframe expires, the password is changed (if the user already released the account, it is changed upon release). |
Manual initiation |
If the account is managed by the CPM, when the user clicks Change, an immediate change CPM operation is initiated. |
One-time and exclusive passwords |
Passwords that are defined as one-time passwords or that are configured for Exclusive Account mode are changed after every use. These are configured in the Master Policy with the |
Account groups |
When the password of an account that is a member of a group is changed, the password values for the entire group are also changed. |
Change passwords
The password change processes determine how frequently passwords are changed and how the changes are initiated. These processes are configured in the
Verify passwords
The password verification processes determine how frequently passwords are verified and how the verification is initiated. These processes are configured in the
Reconcile passwords
The CPM reconciles passwords according to the following Password Reconciliation parameters:
The password reconciliation processes determine how frequently passwords are reconciled and how the reconciliation is initiated. These processes are configured in the
Change password manually by user
You have the following options for changing the password:
Action |
Description |
---|---|
Trigger the CPM to change the password |
The account is managed by the CPM. CPM changes the password in both the target machine and in You must have the following Safe member authorizations to initiate a password change:
|
Change the password manually only in |
You must have the following Safe member authorizations in the safe where the account is stored:
|
Troubleshooting
\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
The Minimum password age policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If Maximum password age is between 1 and 999 days, the minimum password age must be less than the maximum password age. If Maximum password age is set to 0, Minimum password age can be any value between 0 and 998 days.
This policy setting is supported on versions of Windows that are designated in the Applies To list at the beginning of this topic.
Additionally, you can associate a Reconcile account to the platform in order to override the Minimum Password Age by resetting the password.