High Level Installation Steps:

Basically,
follow the hardware requirements out of the attached system requirements guide
for hardware specs and prerequisite software needed.
Enterprise Password Vault Solution (Vault, PVWA, CPM)
For the
vaults:
       
Install Windows 2012 R2 or Windows
2016
       
Install at least .NET Framework
4.6.2 (if that or a greater version not already included)
       
DO NOT join it to the domain
       
Install all the latest Windows OS
patches
       
Remove all protocols and services
from the network card except TCP/IP version 4
       
The rest is performed during the
install
For the
others:
       
Install Windows 2012 R2 or Windows
2016
       
Install at least .NET Framework
4.6.2 (if that or a greater version not already included)
       
Install all the latest Windows OS
patches
       
The rest is performed during the
install which includes:
o  
Setting up the IIS role via the provided
PVWA prerequisites script.

o  Make sure you are using run as administrator to run setup.exe file. Domain admin account will not work

For the
PSMs
       
Install Windows 2012 R2 or Windows
2016
       
Install at least .NET Framework
4.6.2 (if that or a greater version not already included)
       
Install all the latest Windows OS
patches
       
Add the domain account we are using
to install PSM to the local administrators group of the new PSM VM build
       
The rest is performed during the
install which includes:
o  
Setting up the Remote Desktop
Session Host role (not from individual checkboxed RD options) and selecting
session-based (which will then ask for connection brokers and RD gateway
servers in later steps).

Digital Vault Server Installation:

Support Platforms:

  • The Digital Vault server requires an Intel Pentium IV (or compatible) processor or later.
  • Support Windows 2016 and Windows 2012 R2

Software requirements:

  • .NET Framework 4.5.2

Installation Steps:

  1. On the Vault machine, create a new folder and copy the contents of the installation package to it.
  2. Display the contents of the Server folder, then start the installation procedure:
    Setup.exe
    or,
    systems that are UAC-enabled, right-click Setup.exe, then select Run as Administrator.
    The Vault installation wizard appears and displays a list of required features that it will install on your computer before it can install the Digital Vault
  3. Click Install to begin the installation process; the installation process begins and the PrivateArk Server Setup window appears,
  4. Select Installation Locations. 
  5. Installation
    • Select Skip Remote Control Agent Configuration to proceed to the next step of the installation procedure without configuring the Remote Control Agent,
    • To install RabbitMQ, select the checkbox, then click Next, to proceed to the next step of the installation.
    • This step of the installation hardens the Vault machine.
    • To confirm that the Vault hardening procedure will be run as part of the installation, click Next,
    • This step of the installation enables you to specify the name of the folder where the Server files will be stored,
  6. Setup Passwords
    • The next step of the installation prompts you for passwords for the built-in Master user and Administrator user
    • Type the Master user’s password, then type it again to confirm.
    • Type the Administrator user’s password, then type it again to confirm
    • Select Yes, I want to restart my computer now, then click Finish to restart your computer.
    • The installation automatically updates your Windows Start menu, places a PrivateArk Server shortcut icon on the desktop, and updates the computer registry information. If you configured the Remote Control Agent during installation, it will start automatically after you restart your computer.
  7. Create a new Local User for the Logic Container Service
    • CyberArk has created a script that covers all the manual steps described below for all versions.
    • The LogicContainerUserConfiguration.ps1 script can be downloaded from the CD image.
    • To run the script, copy it to the Vault server and run it either by double-clicking the script or by opening PowerShell and running the script.
    • The script creates a log file next to it detailing all the steps done.

Password Vault Web Access (PVWA)  Installation:

Install the PVWA server prerequisites
The PVWA_Prerequisites script automates PVWA server prerequisites by doing the following:
  • Installs Web Server Roles
  • Disables IPv6
  • Configures the self certificate

Web Server roles

Before installing the PVWA, add the Web Server role.

Log onto Windows as the Administrator user
Before beginning installation, log onto Windows as the Administrator user.

Installation

The Password Vault Web Access must be installed on a different machine to the Enterprise Password Vault server.

  1. On the PVWA machine, create a new folder and copy the Password Vault Web Access folder from the installation package to it.
  2. Start the installation procedure: Double-click Setup.exe
  3.  Click next to go to next step until to this window to select the type of Password Vault Web Access to install.
  • Full Password Vault Web Access – This option installs the PVWA for desktop browsers.
  • Mobile Password Vault Web Access – This option installs a PVWA interface that is specifically for mobile devices.

4. Click Next to proceed to the Web application details window, which enables you to specify the web site name, application name, and authentication type(s) for the web application.
5. Click next to specify the username and password of the Vault user carrying out this installation, then click Next to create the Password Vault Web Access environment and display the Setup Complete window.

6. Click Finish to complete the Password Vault Web Access installation.
7. Restart the machine wherethe Password Vault Web Access is installed.


CPM  Installation:

Before Installation


Standard installation

  1. On the CPM machine, create a new folder and copy the Central Policy Manager folder from the installation package to it.
  2. Start the installation procedure in one of the following ways:
    • Double-click Setup.exe
    • On systems that are UAC-enabled, right-click Setup.exe, then select Run as Administrator.
    The installation process begins and the Setup window appears.

3. Click Next to proceed to the next step of the installation. The CPM installation wizard appears and displays a list of required features that it will install on your computer before it can install the CPM.

5. Click Next until to accept the default location provided by the installation, as displayed in the Destination Folder area,
Alternatively, click Browse and select another location.

Click Next to proceed to the Setup Type window, which enables you to specify whether or not the CPM was already installed on the Vault.

6. Select No Policy Manager was previously installed, then click Next to proceed to the Vault Connection Details window where you specify the connection details of the Password Vault.


7. Specify the IP address or DNS of the Password Vault, and its port number, then click Next to proceed to the Vault’s Username window where you specify the logon details of the Vault user.


8. Specify the name and password of the Vault user who will create the CPM environment in the Vault. Click Next; the installation process will now build the CPM environment in the Vault and on the CPM machine.


9. After the CPM environment has been created, the Setup Complete window appears.









PSM  Installation:


Run the PSM installation wizard.

To install PSM:
  1. Log on as a domain user who is a member of the local administrators group.
  2. Create a new folder on the PSM server machine. From the installation CD, copy the contents of the Privileged Session Manager folder to your new folder .
    Display the contents of the Privileged Session Manager folder.
  3. Start the installation procedure:
    Double-click Setup.exe or,
    On systems that are UAC-enabled, right-click Setup.exethen select Run as Administrator.
    The PSM installation wizard appears and displays a list of prerequisites that are installed before the PSM installation continues.

4. Click Install to begin the installation process; the installation process begins and the Setup window appears.
5. Click next until on the Destination Location window, click Next to accept the default location provided by the installation, or click Change and select another location.
6. On the Recordings Folder window, click Next to accept the default recordings folder provided by the installation, or click Change and select another location.


7. On the Password Vault Web Access Environment window, click Next to accept the default name of the PVWA Configuration Safe provided by the installation, or specify the name of another Safe name that is used as the PVWA Configuration Safe.


8. Click Next; the installation automatically installs the Oracle Instant Client, then displays the Vault’s Connection Details window. Specify the IP or DNS address and the port number of the Digital Vault, then click Next.


9. On the Vault’s Username and Password Details window, specify the username and password of the Vault user carrying out this installation, then click Next .


10. On the API Gateway Connection Details window, enter the protocol and hostname of the PVWA where the PSM connects to the API Gateway, then click Next to display the Setup Complete window. This information is used to generate an endpoint for API calls (<protocol>://<Host>/passwordvault/api).


11 Click Finish to complete the Privileged Session Manager installation.


12. Restart the PSM server. You can also restart the PSM server at a later stage.


13. On the PVWA machine, run iisreset,






Activate the PSM server


To activate PSM:

  1. If you did not use the default recordings folder provided by the installation , you will need to update the path to the recordings folder.
    Go to PVWA > ADMINISTRATION > Options > Privileged Session Management > General settings > Recorder settings. Update the value of the recordings folder path on the PSM machine.
  2. You need to manually start the CyberArk Privileged Session Manager Service:
    1. Go to Start> Settings > Control Panel.
    2. Select Administrative Tools > Services.
    3. Right-click CyberArk Privileged Session Manager.
    4. Select Start.


References:

By Jonny

Leave a Reply