CPC-CDE-RECERT CyberArk CDE-CPC Recertification Question and Answers

When installing the first CyberArk Privilege Management (CPM) instance in the Privilege Cloud using the Connector Management Agent, the installation mode should be set to "Active". This configuration sets the CPM to be actively involved in password management and task processing without being in a standby or passive mode. Here are the step-by-step details:

Download the Connector Management Agent: Obtain the installer from the CyberArk Marketplace or your installation kit.

Run the Installer: Start the setup and select the CPM component to install.

Choose Installation Mode: When prompted, select "Active" as the installation mode. This sets up the CPM as the primary node responsible for handling password management operations.

This setup ensures that the CPM is immediately active and capable of handling requests without waiting for manual intervention or failover.

https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Security/PSM-hardening-configuration.htm?Highlight=disable%20support%20for%20browsers

For PSM Web Connectors developed using the CyberArk Plugin Generator Utility (PGU), the supported browser is Google Chrome. This is because the PGU is designed to create plugins that are most compatible with Chrome's web technologies and security frameworks. Chrome is generally recommended by CyberArk for its up-to-date security features and extensive support for web applications. This is further supported by the CyberArk documentation on the Plugin Generator Utility, which specifies browser compatibility and the optimal environment for deploying web connectors.

On CyberArk Privilege Cloud, updating users' permissions on safes can be done through the Privilege Cloud Portal and the REST API. The Privilege Cloud Portal provides a user-friendly graphical interface where administrators can manage user permissions directly within the portal's safe management settings. Additionally, the REST API offers a programmable way to automate permission updates across safes, which is especially useful for bulk changes or integrating with other management tools. Both methods provide effective means to manage and customize access controls in a CyberArk environment, allowing for detailed permission settings per user on specific safes.

CyberArk’s predefined groups documentation describes the Auditors group as having View audit plus Safe viewing-related authorization (documented as View Safe Members, enabling visibility into Safe contents/activity/owners list). This matches the intent of “View Audit + View Safe” in the question better than the other options.

CyberArk’s platform configuration guidance explicitly shows the navigation path to this parameter:

Edit the platform → Expand “Automatic Password Management” → select “General” → set “AllowedSafes”.

In other words, AllowedSafes is located under Automatic Password Management > General, which matches option C.

For customers using CyberArk Privilege Cloud Shared Services, the correct format for the CyberArk Vault address is:

vault-<subdomain>.privilegecloud.cyberark.cloud (Option B). This format is used to access the vault services provided by CyberArk in the cloud environment, where <subdomain> is the unique identifier assigned to the customer’s specific instance of the Privilege Cloud.

In a PSM Load Balanced Virtual Server Configuration, the default service ports/protocols used are RDP/3389 and HTTPS/443. RDP (Remote Desktop Protocol) typically uses port 3389 for remote desktop services, which is essential for PSM functionalities involving remote sessions. HTTPS, which utilizes port 443, is used for the PSM Health Check service to ensure secure and encrypted communication during the monitoring and health verification processes of the PSM services.

During Secure Tunnel deployment, CyberArk’s installation flow includes an “Authenticate to Privilege Cloud” step where you must enter Subdomain or Customer ID (plus the provided username/password). The documentation explicitly says to enter only the subdomain identifier (not the whole URL) or use the Customer ID provided by CyberArk.

For LDAP integration with CyberArk Privilege Cloud Standard, the correct statement is that only the Issuing CA certificate is required for certificate trust to your directory server. This setup simplifies the process of establishing a trusted connection between CyberArk and the LDAP server by necessitating only the certification of the issuing Certificate Authority (CA), rather than needing multiple certificates from different levels of the trust chain. This approach ensures that the SSL/TLS communication between CyberArk and the LDAP server is secured based on the trust of the issuing CA’s certificate.

AllowedSafes is a regular expression and is case sensitive.

The regex Win (with no anchors) will match any Safe name that contains the exact substring “Win” with the same case:

WindowsPasswords → starts with Win ✅

SQL-Win-SA → contains Win ✅

win-ssh-keys → contains win (lowercase) ❌ (case sensitive)

CXD-WIN-ADMINS → contains WIN (all caps) ❌

WiNdOwS_Accts → mixed case, does not contain the exact substring Win ❌

Therefore the correct choices are A and D.

CyberArk explains that PSM recordings are saved temporarily on the PSM/connector during the active session, and when the session ends they are uploaded to Privilege Cloud.

It further notes that sessions are stored in the default recording Safe (PSMRecordings) in the Privilege Cloud Vault.

CyberArk’s Privilege Cloud SAML configuration documentation explicitly states: Privilege Cloud supports only one assertion and instructs you to ensure only one assertion is configured in the IdP.

https://docs.cyberark.com/pam-self-hosted/11.4/en/content/pas%20inst/following-central-policy-manager-installation.htm

CyberArk’s hardening instructions for SUSE (manual hardening) explicitly require:

Updating the SSH daemon configuration in /etc/ssh/sshd_config (for example, removing SFTP subsystem definitions and setting multiple hardening-related attributes such as disabling forwarding features).

Ensuring the credential file for the PSM for SSH gateway user (psmpgwuser.cred) has the required permissions 640 (default path shown as /etc/opt/CARKpsmp/Vault/psmpgwuser.cred).

Those map directly to A and C.

After the successful scripted installation of the Privileged Session Manager (PSM), one of the post-installation tasks is to disable the screen saver for the PSM local users. This is done to ensure that the PSMConnect and PSMAdminConnect users, which are created during the installation process, do not have a screen saver activated that could interfere with the operation of the PSM.

CyberArk’s Privilege Cloud documentation for SIEM integration (Syslog) states that to connect to SIEM in Privilege Cloud, you must first deploy the Secure Tunnel.

That means the Secure Tunnel is the required component that enables the communication path for sending Privilege Cloud audit logs via Syslog (TCP/TLS) to your SIEM.

Why the other options are not correct for this Privilege Cloud Syslog requirement:

A (CyberArk Syslog Writer) is typically referenced in CyberArk Identity / ISP logging contexts, not as the required Privilege Cloud SIEM transport component. (Privilege Cloud SIEM doc calls out Secure Tunnel explicitly.)

C (Privilege Cloud Connector) is not what the SIEM/Syslog doc identifies as the required prerequisite; it specifically calls out Secure Tunnel.

D (CyberArk Identity Connector) is used to integrate directory services (AD/LDAP) with CyberArk Identity/Identity Administration, not as the Privilege Cloud Syslog transport prerequisite.

The sshd_config file is the correct configuration file that must be updated to define maintenance users for administering the Privilege Cloud PSM for SSH connector. This file contains configurations for the SSH daemon, including user permissions and group settings. When adding maintenance users, their user accounts are created on the PSM server, and then they are added to the AllowGroups parameter within the sshd_config file to grant them the necessary permissions.

CyberArk’s Privilege Cloud Standard SAML configuration documentation states that, before using SAML, users must already be defined in Privilege Cloud and provides two supported methods:

Integrate with your LDAP server (recommended) → this provisions users into Privilege Cloud. (Answer A)

Create CyberArk users in Privilege Cloud with identical details as the users who will access via SAML. (Answer D)

The other options are not valid “user definition” methods for this requirement:

SIEM and Email system integrations don’t define users in Privilege Cloud.

E is not a supported/customer method in Privilege Cloud Standard documentation (and Privilege Cloud is a managed service; you don’t create users by directly manipulating the service database).

In the directory lookup order for the CyberArk Privilege Cloud solution, the "CyberArk Cloud Directory" is always looked up first. This directory service is a part of the CyberArk Privilege Cloud infrastructure and is specifically designed to handle identity and access management within the cloud environment efficiently. It prioritizes the CyberArk Cloud Directory for authentication and identity resolution before consulting any external directory services.

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-configure-auth.htm

CyberArk’s official guidance for restricting a platform to specific Safes is to set the AllowedSafes platform parameter in the General section of the platform under Automatic Password Management.

AllowedSafes uses a regular expression to match Safe names, which is why a pattern such as (WINDEMEA)|(WINDEMEA_ADMIN) is used to allow exactly those two Safe names.

When installing the PSM and CPM components on the same Privilege Cloud Connector and considering the hardening process, it's important to note that PSM settings override the CPM settings when referring to the same parameter. This hierarchy is crucial in ensuring that the more stringent security settings required by PSM, which typically handles direct interaction with end-user sessions, take precedence over CPM settings. This setup helps maintain robust security practices by applying the most restrictive configuration where conflicts occur.

https://docs.cyberark.com/privilege-cloud-shared-services/Latest/en/Content/Privilege%20Cloud/privCloud-connect-siem.htm

CyberArk documents that due to RDS licensing enforcement in Windows 2019/2022, Per-user licensing is not supported for local users, and (when Per-user CALs are required) you should move the built-in PSM application users (PSMConnect / PSMAdminConnect) from local to domain users.

Therefore, to leverage existing Per-user RDS licensing on Windows 2019 PSM servers, you must migrate the local PSM users to domain users → C.