CyberArk CPC-CDE-RECERT Dumps

CyberArk’s hardening guidance is explicitly organized by whether the servers are In Domain or Out of Domain (for example, PSM hardening guidelines and tasks reference both deployment types, and CPM has separate “hardening in domain” guidance). Therefore, the deployment criterion that drives the hardening method/package is In Domain vs Out of Domain.

CyberArk’s official guidance for restricting a platform to specific Safes is to set the AllowedSafes platform parameter in the General section of the platform under Automatic Password Management.

AllowedSafes uses a regular expression to match Safe names, which is why a pattern such as (WINDEMEA)|(WINDEMEA_ADMIN) is used to allow exactly those two Safe names.

When installing the Privileged Session Manager (PSM) on multiple servers, it is required that each PSM installation has the same path to the same recordings directory. This is necessary to ensure that session recordings are stored consistently across different PSM instances, which is important for high availability and load balancing implementations, as well as for maintaining a unified audit trail.

CyberArk explains that PSM recordings are saved temporarily on the PSM/connector during the active session, and when the session ends they are uploaded to Privilege Cloud.

It further notes that sessions are stored in the default recording Safe (PSMRecordings) in the Privilege Cloud Vault.

CyberArk states that LDAP users are provisioned using directory maps, and that a directory map determines whether a user account or group may be created in Privilege Cloud (and under which criteria/templates). That’s A.

CyberArk also states that an LDAP user’s account properties are updated by the directory map each time the user logs on (i.e., attributes refresh on login). That’s C.

Why the others are incorrect:

B: No custom Python script is required—Privilege Cloud uses built-in LDAP integration/directory mapping.

D: A Base Context / search base (e.g., DC=example,DC=com) is part of the required LDAP connection configuration.

E: The bind user does not have to be a domain admin; typical LDAP bind accounts are least-privileged for directory reads (domain admin is not a prerequisite in CyberArk’s integration flow).

For customers using CyberArk Privilege Cloud Shared Services, the correct format for the CyberArk Vault address is:

vault-<subdomain>.privilegecloud.cyberark.cloud (Option B). This format is used to access the vault services provided by CyberArk in the cloud environment, where <subdomain> is the unique identifier assigned to the customer’s specific instance of the Privilege Cloud.

The sshd_config file is the correct configuration file that must be updated to define maintenance users for administering the Privilege Cloud PSM for SSH connector. This file contains configurations for the SSH daemon, including user permissions and group settings. When adding maintenance users, their user accounts are created on the PSM server, and then they are added to the AllowGroups parameter within the sshd_config file to grant them the necessary permissions.

CyberArk documents that due to RDS licensing enforcement in Windows 2019/2022, Per-user licensing is not supported for local users, and (when Per-user CALs are required) you should move the built-in PSM application users (PSMConnect / PSMAdminConnect) from local to domain users.

Therefore, to leverage existing Per-user RDS licensing on Windows 2019 PSM servers, you must migrate the local PSM users to domain users → C.

Privilege Cloud (Shared Services) user access is governed by CyberArk Identity user existence and policy. If the user account is removed, sign-in is blocked and the end-user experience is the standard “unable to sign in / contact administrator” style message, consistent with CyberArk’s end-user troubleshooting guidance when sign-in is blocked by policy/account state.

(Options C and D do not align with Identity-based access control behavior; a removed Identity user should not be able to authenticate successfully.)

CyberArk states that users can authenticate to the Vault through PSM for SSH using:

CyberArk password authentication (i.e., CyberArk authentication),

LDAP, and

RADIUS (including challenge-response).

Windows, SAML, and OIDC are not listed as direct PSM for SSH authentication methods in the PSM for SSH authentication configuration (Privilege Cloud / PSM for SSH uses the configured PSM for SSH authentication methods such as Password/LDAP/RADIUS)

To map LDAP users from both your customer and the smaller organization they have merged with, especially when there is no network connectivity between the two infrastructures, the best approach is to:

Deploy Identity Connectors in the newly acquired infrastructure and create user mappings (Option C). This involves setting up additional Identity Connectors within the smaller organization’s network. These connectors will facilitate the integration of user directories from both organizations into the customer’s Privilege Cloud environment.

The tool used to configure the user object for the installation of the PSM for SSH component is CreateCredFile. This tool is responsible for creating a credentials file that stores the necessary user details required during the installation process, ensuring secure and correct authentication.

CyberArk’s Connector Management prerequisites check defines the exact network connectivity rules that must pass before installation:

VaultConnectivity → Connect to the Privilege Cloud backend on TCP 1858

TunnelConnectivity → Connect to the Secure Tunnel on TCP 443

CustomerPortalConnectivity → Connect to the service backend URL on TCP 443

This matches option A exactly.

CyberArk defines MaxConcurrentConnections as: “The maximum number of connections that can be opened between the Central Policy Manager and the remote machine where the passwords are replaced.”

That is exactly option A.

CyberArk’s predefined groups documentation describes the Auditors group as having View audit plus Safe viewing-related authorization (documented as View Safe Members, enabling visibility into Safe contents/activity/owners list). This matches the intent of “View Audit + View Safe” in the question better than the other options.

CyberArk documents that to provision/authenticate users based on on-prem directory services using LDAP with Shared Services, you must first install the Identity Connector.

CyberArk also states LDAP communication to the Identity Connector is over TLS/SSL, and during the TLS handshake the LDAP server must present an X.509 certificate, meaning the connector must be able to trust the LDAP/LDAPS certificate chain (i.e., a trusted certificate on the connector side is required for LDAPS trust).

Therefore, the correct choices are B (Identity Connector) and D (trusted LDAP server certificate on the connector).

Why the other options are not correct as stated:

C is wrong because LDAPS (636) is between the Identity Connector and the domain controllers/LDAP server, not “opened to the Privilege Cloud back-end” directly.

E is not required for LDAP credential login; federated domains are used for federation/SSO use cases, while LDAP mapping is handled via the connector + LDAPS trust.

A (read-only domain user) is commonly used as the Bind DN/service account, but in the Shared Services LDAP requirement set here, the two must-have items that CyberArk calls out for enabling this path are the Identity Connector and the LDAPS certificate trust.

CyberArk’s hardening instructions for SUSE (manual hardening) explicitly require:

Updating the SSH daemon configuration in /etc/ssh/sshd_config (for example, removing SFTP subsystem definitions and setting multiple hardening-related attributes such as disabling forwarding features).

Ensuring the credential file for the PSM for SSH gateway user (psmpgwuser.cred) has the required permissions 640 (default path shown as /etc/opt/CARKpsmp/Vault/psmpgwuser.cred).

Those map directly to A and C.

In the Shared Services (ISPSS) model, directory services (AD/LDAP) are integrated through CyberArk Identity / Identity Administration using the Identity Connector, which enables secure communication between Identity Administration and the customer’s AD/LDAP. This aligns with C.

For LDAPS, CyberArk states LDAP communicates with the Identity Connector over TLS/SSL (port 636) and that, during the handshake, the LDAP server presents an X.509 certificate; therefore the machine running the Identity Connector must trust the issuing CA/cert chain. This is exactly D.

Why the other options are not correct for Shared Services:

A describes the Privilege Cloud Portal LDAP mapping UI used in the Privilege Cloud Standard LDAP integration flow (User Provisioning > LDAP Integration), not the Shared Services Identity Administration directory service integration path.

B “Secure Tunnel required” is a requirement called out for connecting LDAP in the Privilege Cloud Standard flow (CyberArk Support defines the secure tunnel), but Shared Services LDAP/AD authentication is handled via the Identity Connector model.

E is not a Shared Services requirement; the trust is established on the connector machine (D), not by sending the CA cert to CyberArk Support.

In the Shared Services model, MFA enforcement is done in CyberArk Identity / Identity Administration using Core Services > Policies:

To enforce MFA broadly, CyberArk documents configuring MFA for all users by enabling authentication policy controls and creating/assigning an authentication profile (the mechanisms/challenges).

To require users to set up MFA factors, CyberArk documents the setting under User Security Policies > User Account Settings where you specify the minimum number of authentication factors users must configure upon login.

Option B is the only choice that correctly points you to the right place and activity (Identity Administration Policies to configure authentication/MFA requirements and enrollment requirements).

CyberArk recommends placing connector host machines geographically as close as possible to their targets to reduce latency and (practically) minimize WAN traffic between sites.

Since CPM password rotations/verifications occur between the CPM component and the target systems in the customer network, deploying CPM connectors in each data center (near those local targets) and organizing/segregating by region (for example via region-specific Safes/target scoping) is the design that best reduces cross–data-center traffic.

CyberArk’s “Before you install PSM for SSH (Standard)” prerequisites include:

Verify public access: “Verify that outbound traffic from the PSM for SSH server is always routed through the same public-facing IP.” This directly supports C.

Create the PSM for SSH parameters file: The parameters file is required for the installation process, and the documentation specifies InstallCyberArkSSHD = Integrated as a mandatory parameter value. This supports A (with the corrected value “Integrated”).

Why the other options are not “installation prerequisites” as written:

B: CyberArk documents that after installation, the root user will not be able to authenticate remotely using a password (security behavior), not as a prerequisite step to perform before installation.

D: The docs mention you can use a different administrative/maintenance user, but it is not listed as a required prerequisite in the “Before you install” checklist.

E: Resetting the root password is not listed as a prerequisite in the Privilege Cloud “Before you install PSM for SSH (Standard)” documentation.

When installing the PSM and CPM components on the same Privilege Cloud Connector and considering the hardening process, it's important to note that PSM settings override the CPM settings when referring to the same parameter. This hierarchy is crucial in ensuring that the more stringent security settings required by PSM, which typically handles direct interaction with end-user sessions, take precedence over CPM settings. This setup helps maintain robust security practices by applying the most restrictive configuration where conflicts occur.

When deploying a CyberArk Identity Connector to integrate Privilege Cloud Shared Services with an Active Directory environment, the server hosting the Identity Connector must meet specific requirements to ensure proper integration and functionality. The necessary condition is:

The Identity Connector Server must be joined to the Active Directory (Option A). This requirement ensures that the server can communicate effectively with the Active Directory services and manage identity data securely and efficiently. Being part of the Active Directory domain facilitates authentication and authorization processes required for the connector to function correctly.

CyberArk’s official outbound traffic/network requirements explicitly list the two Privilege Cloud cloud-side endpoints that are required for Secure Tunnel communications (for REST/API calls over HTTPS/443):

Backend service management (Required for Secure Tunnel):

Connector (Required for Secure Tunnel): .privilegecloud.cyberark.com

These map directly to answer choices A (console) and B (connector-).

Note: Your options use the .cyberark.cloud domain, while CyberArk’s network requirements documentation shows these endpoints in the .cyberark.com domain for Privilege Cloud. The service roles (Console + Connector endpoint) are what Secure Tunnel must reach, and those are the two “Required for Secure Tunnel” services in the official requirements.

Why the other options are not selected (based on what’s “required for Secure Tunnel” in the official allowlist guidance):

C (backend-services…): Not listed in CyberArk’s published “Required for Secure Tunnel” FQDN allowlist entries (console + connector are).

D (telemetry…): Telemetry is a separate capability (dashboards / utilization tracking) and is not documented as the required Secure Tunnel service endpoint.

E (update…): Secure Tunnel upgrade/download processes are documented, but “update.*” is not listed as a required Secure Tunnel cloud endpoint in the outbound allowlist table.

CyberArk’s Privilege Cloud network requirements state that, to secure the service, CyberArk permits inbound traffic only from specific IP addresses and you must provide CyberArk Support with the public-facing IP addresses for communication between the Privilege Cloud service and the Connectors, including Secrets Manager—so they can add them to the CyberArk allowlist.

That statement maps directly to A.