The CPM_PreInstallation.ps1 script automates and performs the following tasks:
Verifies .NET version
Sets IIS SSL TLS configuration
To run the CPM_PreInstallation script:
Copy the CPM folder from the installation package to the CPM server, and unzip the folder.
In the InstallationAutomation folder, locate the CPM_PreInstallation.ps1 file.
Open the PowerShell window, and run the CPM_PreInstallation.ps1 file as Administrator.
Installation CPM using scripts
1 Install CPM using scripts
In the CPM\InstallationAutomation\Installationfolder, locate and open theInstallationConfig.xmlfile.
In the InstallationConfig.xml file, specify the following parameters:
The name of the user running the installation.
Valid values: Username
Default value: Windows User
The name of the company running the installation.
Valid values: Company name
Default value: My Company
The path where CPM is installed.
If the path is more than 260 characters, enable the LongPathsEnabled setting.
In the Registry Key settings, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem > LongPathsEnabled, and change the value from 0 to 1. Reboot the machine to recognize the new key setting.
Valid values: Pathname
Default value: C:\Program Files (x86)\CyberArk\
Whether this is a CPM upgrade or a new CPM installation.
Valid values: True/False
Default value: False
In a PowerShell window, run the CPMInstallation.ps1 script as Administrator.
The registration process connects the CPM to the Vault.
In the CPM\InstallationAutomation\Registration folder, locate and open the CPMRegisterComponentConfig.xml file.
In the CPMRegisterComponentConfig.xml file, specify the following parameters.
Acceptance of the end user License agreement.
Valid values: Yes/No
The IP address or hostname of the Vault server.
Valid values: IP address or hostname
The Vault’s configured communication port. Recommended default Vault port: 1858
Valid values: Port number
The name of the Vault user performing the installation.
Valid values: Username
We recommend using the Vault administrator user to install CPM as this user has the appropriate Vault authorizations, and is created in the appropriate location in the Vault hierarchy.
During installation, several Vault objects are created to enable the CPM to access existing passwords, generate new ones and replace them on a remote machine. However, before the CPM can begin working, it is recommended to create a Trusted Network Area for the CPM user to log on to the Vault.
Make sure that the CPM user can only log on to the Vault from the CPM machine.
To create a trusted network area:
Create a Network Area that includes only the IP address of the CPM machine, and from where the CPM user will log on to the Vault.
In the User Properties window, add this network area to the user’s Trusted Network Areas.
Restart the following services:
CyberArk Password Manager service
CyberArk Central Policy Manager Scanner
2 Check the installation log files and CPM log files
Capture the installation log file and save it to somewhere else. Else, the installation log file will be automatically deleted after next reboot.
3 Check the CPM related files and services
4 Add restrictions to the protected credentials file
5 Vault Changes, such as safes, users, saved files.
The CPM hardening process is a series of tasks that enhance security on the Windows Server machine. Hardening is performed after CPM installation.
Hardening consists of the following tasks:
In-Domain Automatic Hardening via GPO
Out of Domain Hardening via INF import
In order to prevent a scenario where the CPM is unavailable, you can set up a Disaster Recovery (DR) “active-passive” cluster by installing and configuring a second CPM instance.
If the primary CPM is down, you can manually switch over to the second instance, the DR CPM.
Only one active instance of the CPM can be available at any time.