CPC-CDE-RECERT Sample Questions Answers

CyberArk’s Connector Management prerequisites check defines the exact network connectivity rules that must pass before installation:

VaultConnectivity → Connect to the Privilege Cloud backend on TCP 1858

TunnelConnectivity → Connect to the Secure Tunnel on TCP 443

CustomerPortalConnectivity → Connect to the service backend URL on TCP 443

This matches option A exactly.

CyberArk’s official DR CPM procedure for Privilege Cloud (shared services) describes two key actions in this flow:

During installation (Connector Management): When prompted to select the CPM mode, choose Passive.

After installation (configuration step): Stop the CyberArk Password Manager service and set its startup type to Manual.

These map directly to answers C and A.

CyberArk’s predefined groups documentation describes the Auditors group as having View audit plus Safe viewing-related authorization (documented as View Safe Members, enabling visibility into Safe contents/activity/owners list). This matches the intent of “View Audit + View Safe” in the question better than the other options.

When installing the Privileged Session Manager (PSM) on multiple servers, it is required that each PSM installation has the same path to the same recordings directory. This is necessary to ensure that session recordings are stored consistently across different PSM instances, which is important for high availability and load balancing implementations, as well as for maintaining a unified audit trail.

https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Security/PSM-hardening-configuration.htm?Highlight=disable%20support%20for%20browsers

CyberArk’s Privilege Cloud documentation for SIEM integration (Syslog) states that to connect to SIEM in Privilege Cloud, you must first deploy the Secure Tunnel.

That means the Secure Tunnel is the required component that enables the communication path for sending Privilege Cloud audit logs via Syslog (TCP/TLS) to your SIEM.

Why the other options are not correct for this Privilege Cloud Syslog requirement:

A (CyberArk Syslog Writer) is typically referenced in CyberArk Identity / ISP logging contexts, not as the required Privilege Cloud SIEM transport component. (Privilege Cloud SIEM doc calls out Secure Tunnel explicitly.)

C (Privilege Cloud Connector) is not what the SIEM/Syslog doc identifies as the required prerequisite; it specifically calls out Secure Tunnel.

D (CyberArk Identity Connector) is used to integrate directory services (AD/LDAP) with CyberArk Identity/Identity Administration, not as the Privilege Cloud Syslog transport prerequisite.

CyberArk documents that due to RDS licensing enforcement in Windows 2019/2022, Per-user licensing is not supported for local users, and (when Per-user CALs are required) you should move the built-in PSM application users (PSMConnect / PSMAdminConnect) from local to domain users.

Therefore, to leverage existing Per-user RDS licensing on Windows 2019 PSM servers, you must migrate the local PSM users to domain users → C.

From the error message provided, two likely scenarios could represent valid misconfigurations:

TCP Port 636 could be blocked by a network firewall, preventing communication between the CyberArk Identity Connector and the LDAP Server (A). This is a common issue where firewall settings prevent the secure communication port (typically 636 for LDAPS) from transmitting data between the server and the connector, thus blocking the connection attempt.

'Verify Server Certificate' is activated but the provided hostname is not listed as a Subject Alternative Name (SAN) in the LDAP server's certificate (C). This scenario occurs when SSL/TLS security measures are stringent, requiring that the hostname used to connect to the LDAP server must match one listed in the server's SSL certificate. If the hostname does not match, the connection will fail due to SSL certificate validation errors.

On CyberArk Privilege Cloud, updating users' permissions on safes can be done through the Privilege Cloud Portal and the REST API. The Privilege Cloud Portal provides a user-friendly graphical interface where administrators can manage user permissions directly within the portal's safe management settings. Additionally, the REST API offers a programmable way to automate permission updates across safes, which is especially useful for bulk changes or integrating with other management tools. Both methods provide effective means to manage and customize access controls in a CyberArk environment, allowing for detailed permission settings per user on specific safes.

4->1->2->3

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-cpm-dr-install-standard.htm

CyberArk documents that automatic hardening can be bypassed by setting the Hardening parameter in the PSM for SSH parameters file. The PSM for SSH parameters file used during installation is the psmpparms file (created by copying psmpparms.sample and renaming it to psmpparms).

CyberArk’s “Before you install PSM for SSH (Standard)” prerequisites include:

Verify public access: “Verify that outbound traffic from the PSM for SSH server is always routed through the same public-facing IP.” This directly supports C.

Create the PSM for SSH parameters file: The parameters file is required for the installation process, and the documentation specifies InstallCyberArkSSHD = Integrated as a mandatory parameter value. This supports A (with the corrected value “Integrated”).

Why the other options are not “installation prerequisites” as written:

B: CyberArk documents that after installation, the root user will not be able to authenticate remotely using a password (security behavior), not as a prerequisite step to perform before installation.

D: The docs mention you can use a different administrative/maintenance user, but it is not listed as a required prerequisite in the “Before you install” checklist.

E: Resetting the root password is not listed as a prerequisite in the Privilege Cloud “Before you install PSM for SSH (Standard)” documentation.

To properly arrange the steps for failing over to a passive Central Policy Manager (CPM) in CyberArk, the sequence should be as follows:

Validate that the active CPM's services are stopped and set to manual.Before enabling the passive CPM, ensure that the services on the active CPM are stopped. This prevents any conflicts or data corruption by making sure that only one CPM is active at a time. Setting the services to manual ensures they do not restart automatically, which is crucial during a failover scenario.

On the passive CPM, confirm details in the Vault.ini configuration file, reset the password to the CPM user, and recreate the credential file.This step involves making sure the passive CPM has the correct configuration to seamlessly take over operations. Adjustments in the Vault.ini file may be necessary to ensure it is pointing to the correct Vault and network settings. Resetting the password and recreating the credential file are critical to secure the login and authentication process for the newly active CPM.

Enable the CPM services on the passive CPM.Once the passive CPM is correctly configured and ready, enable its services to begin handling the tasks and responsibilities of the primary CPM. This action effectively switches the role from passive to active, enabling the passive CPM to function as the new operational manager.

Review logs to confirm the passive CPM services are running as expected.Finally, review the system and application logs to confirm that the now-active CPM is operating correctly and that all services have started without errors. This step is vital for verifying that the failover process was successful and that the system is stable.

Following this ordered sequence ensures a smooth transition of roles from the active CPM to the passive CPM, minimizing downtime and potential disruptions in the privileged access management operations.

CyberArk documents that the health check service returns HTTP 200 (OK) when the PSM service is healthy, and returns 503 (Service unavailable) when it is not healthy (in code-based behavior).

The basic network requirements to deploy a CyberArk Privilege Management Central Policy Manager (CPM) server include Port 1858 to the Privilege Cloud Vault service backend and Port 443 to the Privilege Cloud Portal. Port 1858 is necessary for communication with the CyberArk Vault, facilitating essential interactions like password retrieval and updates. Port 443 is required for secure web traffic to and from the Privilege Cloud Portal, ensuring that all management tasks performed through the web interface are secure and encrypted. These ports must be properly configured to allow for the efficient and secure operation of the CPM within the Privilege Cloud infrastructure.

The error message "CACPM410E Ending password policy Prod-AIX-Root-Accounts since the reconciliation task is active but the AllowedSafes parameter was not updated" suggests an issue with configuration parameters. The likely cause is:

The AllowedSafes parameter does not include the safe containing the reconciliation account defined in the Platform (Option C). This parameter must accurately reflect all safes where the reconciliation account operates to ensure proper management and access by the Central Policy Manager (CPM). If the safe containing the reconciliation account is not listed, the CPM cannot perform its tasks, leading to this error.

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-app-users.htm

CyberArk’s hardening guidance is explicitly organized by whether the servers are In Domain or Out of Domain (for example, PSM hardening guidelines and tasks reference both deployment types, and CPM has separate “hardening in domain” guidance). Therefore, the deployment criterion that drives the hardening method/package is In Domain vs Out of Domain.

The sshd_config file is the correct configuration file that must be updated to define maintenance users for administering the Privilege Cloud PSM for SSH connector. This file contains configurations for the SSH daemon, including user permissions and group settings. When adding maintenance users, their user accounts are created on the PSM server, and then they are added to the AllowGroups parameter within the sshd_config file to grant them the necessary permissions.

In the Shared Services (ISPSS) model, directory services (AD/LDAP) are integrated through CyberArk Identity / Identity Administration using the Identity Connector, which enables secure communication between Identity Administration and the customer’s AD/LDAP. This aligns with C.

For LDAPS, CyberArk states LDAP communicates with the Identity Connector over TLS/SSL (port 636) and that, during the handshake, the LDAP server presents an X.509 certificate; therefore the machine running the Identity Connector must trust the issuing CA/cert chain. This is exactly D.

Why the other options are not correct for Shared Services:

A describes the Privilege Cloud Portal LDAP mapping UI used in the Privilege Cloud Standard LDAP integration flow (User Provisioning > LDAP Integration), not the Shared Services Identity Administration directory service integration path.

B “Secure Tunnel required” is a requirement called out for connecting LDAP in the Privilege Cloud Standard flow (CyberArk Support defines the secure tunnel), but Shared Services LDAP/AD authentication is handled via the Identity Connector model.

E is not a Shared Services requirement; the trust is established on the connector machine (D), not by sending the CA cert to CyberArk Support.

CyberArk’s PSM for SSH administration documentation explains how to create maintenance access by updating the SSH daemon configuration:

In /etc/ssh/sshd_config, add an AllowGroups entry that includes the maintenance group(s):AllowGroups PSMConnectUsers ..

This matches option C exactly: you enable the additional maintenance user by placing them in the group(s) referenced by AllowGroups in sshd_config.

To retrieve the previous password for an account that had its password changed by the CPM, you should look under the Versions tab within the account's overview page. This tab maintains a history of password changes, including previous passwords, along with other historical data points that allow for tracking changes over time. This feature is critical for auditing and rollback purposes in environments where knowing past credentials is necessary for troubleshooting or compliance.

CyberArk documents that to provision/authenticate users based on on-prem directory services using LDAP with Shared Services, you must first install the Identity Connector.

CyberArk also states LDAP communication to the Identity Connector is over TLS/SSL, and during the TLS handshake the LDAP server must present an X.509 certificate, meaning the connector must be able to trust the LDAP/LDAPS certificate chain (i.e., a trusted certificate on the connector side is required for LDAPS trust).

Therefore, the correct choices are B (Identity Connector) and D (trusted LDAP server certificate on the connector).

Why the other options are not correct as stated:

C is wrong because LDAPS (636) is between the Identity Connector and the domain controllers/LDAP server, not “opened to the Privilege Cloud back-end” directly.

E is not required for LDAP credential login; federated domains are used for federation/SSO use cases, while LDAP mapping is handled via the connector + LDAPS trust.

A (read-only domain user) is commonly used as the Bind DN/service account, but in the Shared Services LDAP requirement set here, the two must-have items that CyberArk calls out for enabling this path are the Identity Connector and the LDAPS certificate trust.

PSM for SSH supports various authentication methods, specifically focusing on secure and verified access mechanisms. The supported methods include:

RADIUS (D): Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. PSM for SSH utilizes RADIUS to authenticate SSH sessions, which adds an additional layer of security by centralizing authentication requests to a RADIUS server.

Client Authentication Certificate (E): This method uses certificates for authentication, where a client presents a certificate that the server verifies against known trusted certificates. This type of authentication is highly secure as it ensures that both parties involved in the communication are precisely who they claim to be, making it suitable for environments that require stringent security measures.

These methods provide robust security options for SSH sessions managed through CyberArk's PSM, ensuring that only authorized users can access critical systems.

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/pas%20inst/cpm-hardening-task-descriptions.htm?Highlight=cpm%20hardening%20accounts#AddsuserstoLocalgrouppolicySecuritysettings

In large-scale environments, to enable the Central Policy Manager (CPM) to focus its search operations on specific Safes instead of scanning all Safes it sees in the Vault, the AllowedSafes parameter on each platform policy is used. This parameter can be configured within the platform settings in the CyberArk administration interface. By specifying safes in the AllowedSafes parameter, the CPM will only manage credentials within those designated safes, thereby optimizing performance and managing resources more efficiently by not scanning unnecessary safes. This setting is crucial for large environments where the CPM needs to be as efficient as possible due to the volume of managed accounts.