Cyber-Ark Interview Questions & Answers Part-1

• January 03 2024

Cyber-Ark Interview Questions & Answers Part-1

Cyber-Ark Interview Questions

These interview questions will help you out in getting your dream job in Cyber-Ark. These questions are generally asked in Cyber-Ark interviews so go through to have a good insight about Cyber-Ark Operations, Implementations, Automations related Q&A.

 

Top 10 Frequently Asked CyberArk Interview Questions:

 

Q.1. Define your Current CyberArk Infrastructure?

Q.2. Your roles & responsibilities?

Q.3. How to login as a Master User?

Q.4. How to activate a user if get suspended?

Q.5. What are the different ways of onboarding an account?

Q.6. How to increase password retrieval time?

Q.7. Workflow of PSM Connection?

Q.8. Functions of PVWAApp, PVWAGW, PSMAPP, PSMGW Users?

Q.9. What are the ports used by CPM to change password?

Q.10. Why CPM cannot be load balanced?

 

CyberArk Interview Questions and Answers for Freshers & Advanced:

 

Q.1. Define your Current CyberArk Infrastructure?

Generally, interviewer starts the CyberArk interview with this question:

You should talk about your current infrastructure like how many Vaults are there and if Vaults are standalone or in HA, then how many PVWAs, CPMs, PSMs, PSMPs, PTA etc.

You should talk about your infra only as interviewer will be asking the questions on that behalf.

If I must answer this question as per my current lab environment, then it must have been like:

In our current CyberArk environment, we have:

2 Standalone Vaults (One Production Vault and One DR Vault)

1 PVWA

1 PSM

1 CPM

1 PSMP

We use LDAPs authentication for logging in PVWA

Also tell them how many accounts you manage.

Like in my lab I have onboarded only 3-4 accounts.

In this way, you can answer to above question and if you have more components then paraphrase the above lines accordingly.

Q.2. Your roles & responsibilities?

Most of the interviewer ask these questions:

Answer this question as per your profile only because interviewer may ask his next questions on behalf of your roles & responsibilities.

If I must answer this question, then it must have been like:

My roles & responsibilities are:

Working as a Subject Matter Expert (SME) and supporting the project in Operations, Upgrades, Implementation to ensure smooth operations.

Upgrading CyberArk components if a new version is released which include Vault, CPMs, PVWAs, PSMPs, AAM, PTA & PSM in HA along with a standalone instance at DR site.

Travelling onsite and discussing with various teams which includes windows, Unix, Networking, and security along with various application team to understand the current privilege accounts being used and understand the current way how these accounts can be managed.

Customizing CyberArk Connection components and making the necessary changes according to client’s requirement.

Helping team in resolving any issues related to any CyberArk component.

Providing training to new employees.

Working on different technologies apart from CyberArk like beyond trust, Certificate Authority, Azure DLP.

You can answer these questions as per your profile and your Daily BAU activities. Don’t say anything apart from it which you don’t know. Because interviewer may ask the questions on that topic.

Q.3. How to login as a Master User?

To login as a master user, we require following:

Master Password

Master CD or Private (RecPrv) key on Vault

Path of private key in dbparm.ini

Restart of PrivateArk server if recovery private key path was changed

Master user will login from the authorized IP address if defined.

Master user can login only in PrivateArk client using PrivateArk authentication.

Q.4. How to activate a user if get suspended?

Interviewer can ask the basic operations questions too:

When a user login to CyberArk and type the wrong password then after the 5 wrong attempts, user’s accounts get suspended, and user can’t login to CyberArk until the account is activated. The default value is 5 and it can be increased maximum by 99.

To Activate the account:

Login to PrivateArk client using Administrator or any account which have permission to activate the account.

Go to Tools > Users & Groups

Search for that suspended account

Click on that account & go to trusted network

Click on Activate

Now user can login to CyberArk.

Account can only be activated from PrivateArk client not from PVWA.

Q.5. What are the different ways of onboarding an account?

This question can be asked to the L1 profile:

Account can be onboarded using below Methods:

• Manually from PVWA
• Using Password Upload Utility (PUU)
• Auto Detection/Auto Discovery
• Rest API

Q.6. How to increase password retrieval time?

When you try to retrieve the password then there’s a time defined.

Go to Administration > Options > General:

Search for Password Revealing or just go to General settings of PVWA.

Lookout for Password Revealing and increase the time as per the requirements.

Apply Ok

Increasing the password revealing time totally depends upon your company’s policy. As in Internet explorer, user can directly copy the password using the copy option but in Google chrome they can’t copy directly. They need to click on show and then double-click and then copy. When they click on show then there’s password revealing time start and its default value is 10 seconds.

Q.7. Workflow of PSM Connection?

CyberArk PSM connection workflow:

When a user clicks on Connect option then PVWAApp user go to Vault and fetches the password of PSMConnect user.

• Then PSM logins to respective PSM server using PSMConnect user.
• Then PSMGW user fetches the password of target account.
• PSM Shadow user connects to the target server with the protocol chosen by the user.
• Recording of the session is stored temporarily on PSM and when user disconnects the session then recording file is uploaded to CyberArk Vault.
• And logs are forwarded to configured SIEM (Splunk, Sentinel, QRadar etc.).

To understand the workflow, one must know about the functions of PVWAGW, PVWAApp, PSMAPP & PSMGW users.

Q.8. Functions of PVWAApp, PVWAGW, PSMAPP, PSMGW Users?

These users are in-built and created when installing PVWA & PSM respectively.

Use of PVWAAPP, PVWAGW, PSMAPP & PSMGW Users:

PVWAApp User: This user is used by PVWA for internal processing. Its’ the only user in the vault who is responsible for opening the PVWA URL. If this user gets suspended, PVWA URL can’t be accessed.

PVWAGW User: This user is generally used for provisioning the other users to the Vault. If this user gets suspended, you won’t be able to login to PVWA.

PSMApp User: This user is generally used by PSM for internal processing. It's used to retrieve configuration from the vault, create recording safes. In new versions, it has the audit and add safes authorization in the vault.

PSMGW User: This user is a part of PVWAGWaccounts group, so it gets the access to all password objects. And used by PSM to fetch the target account’s password.

From the above use of these users, you can see how these accounts are used to grant access to vault or target machine.

Q.9. What are the ports used by CPM to change password?

CyberArk CPM uses different ports for different platforms.

Below are the ports used by CPM for:

Windows Platform: 135, 139, 445

Unix Platform: 22

For changing the password of windows accounts, CPM uses windows API to connect to that machine and then using the net user command to change the password, for changing the password of Unix accounts, it uses plink to connect to Unix and change the password accordingly. (Different flavors of Linux have different commands to change the password.)

Q.10. Why CPM can’t be load balanced?

This is question is generally asked for a higher profile.CPM is assigned to a safe and in a single safe you may have many accounts.

CyberArk CPM can’t be load balanced because: There can be multiple passwords out of sync issues. Suppose if CPM is load balanced then any of the CPM will change or verify the password according to the Master Policy and if it fails to change or verify and in that case another CPM tries the same thing and it got successful but how the first CPM will know... It will push change again so in that case there will be lot of out of sync issues.

In simple term you can say, to avoid split - Brain scenario!

In a different way we can load balanced the CPM. Suppose we have two CPMs and two teams named Windows, Unix teams. So, for windows team safes we can define one CPM and same for Unix team. In this manner, we can load balanced the CPM.