CyberArk CPC-CDE-RECERT - CyberArk CDE-CPC Recertification

CyberArk’s official connector guidance (CyberArk Identity / Identity Administration—used with Privilege Cloud Shared Services for AD user authentication) says that for trusted domains in a single forest, you use this model when the domain controllers have a two-way, transitive trust relationship with the domain controller the connector is joined to.

It also clarifies that a single connector can be used for the entire domain tree or forest in that trusted-domain model, and authentication requests are handled according to AD trust relationships within the forest/tree.

https://docs.cyberark.com/identity/latest/en/content/coreservices/connector/userauthmultdomain.htm

CyberArk states that a Safe can be deleted only after its contents are deleted permanently, and (critically) objects are only deleted permanently after their retention/versions retention has passed. In the Privilege Cloud Safe management documentation, it notes that accounts are deleted permanently only after their retention period has passed, which is why deletion can be blocked by “non-expired” objects.

The underlying Vault/PACLI behavior is also explicit: “It is only possible to delete a Safe after the version retention period has expired for all files contained in the Safe.”

So, beyond deleting the content, the version retention period must have expired for all files → B.

When implementing LDAPS Integration for a standard Privilege Cloud environment, certain information is crucial and must be provided to the CyberArk Privilege Cloud support team through a Service Request. The necessary details include:

LDAPS certificate chain for all domain controllers to be integrated (Option A): This information is critical to establishing a trusted secure connection between the Privilege Cloud and the domain controllers using LDAP over SSL (LDAPS).

Fully Qualified Domain Name and IP Address of the domain controllers to be integrated (Option D): This information is essential for accurately identifying and configuring the network connections to each domain controller that will be integrated with the Privilege Cloud.

The correct statement about using the AllowedSafes platform parameter is that it prevents the Central Policy Manager (CPM) from scanning all safes, restricting it to scan only safes that match the AllowedSafes configuration. This parameter is crucial in large-scale deployments where efficiency and resource management are key. By specifying which safes the CPM should manage, unnecessary scanning of irrelevant safes is avoided, thus optimizing the CPM's performance and reducing the load on the CyberArk environment. This configuration can be found in the platform management section of the CyberArk documentation.

According to best practice, when considering the location of PSM Connector servers in Privilege Cloud environments, the PSM should be placed near the target devices. This placement minimizes latency and maximizes performance by reducing the distance that data has to travel between the PSM servers and the devices they are managing. This is particularly important for maintaining high efficiency and response times during remote session management and operations, which are critical for the overall effectiveness of the Privilege Cloud environment.

When installing the PSM and CPM components on the same Privilege Cloud Connector and considering the hardening process, it's important to note that PSM settings override the CPM settings when referring to the same parameter. This hierarchy is crucial in ensuring that the more stringent security settings required by PSM, which typically handles direct interaction with end-user sessions, take precedence over CPM settings. This setup helps maintain robust security practices by applying the most restrictive configuration where conflicts occur.

CyberArk states that LDAP users are provisioned using directory maps, and that a directory map determines whether a user account or group may be created in Privilege Cloud (and under which criteria/templates). That’s A.

CyberArk also states that an LDAP user’s account properties are updated by the directory map each time the user logs on (i.e., attributes refresh on login). That’s C.

Why the others are incorrect:

B: No custom Python script is required—Privilege Cloud uses built-in LDAP integration/directory mapping.

D: A Base Context / search base (e.g., DC=example,DC=com) is part of the required LDAP connection configuration.

E: The bind user does not have to be a domain admin; typical LDAP bind accounts are least-privileged for directory reads (domain admin is not a prerequisite in CyberArk’s integration flow).

To retrieve the previous password for an account that had its password changed by the CPM, you should look under the Versions tab within the account's overview page. This tab maintains a history of password changes, including previous passwords, along with other historical data points that allow for tracking changes over time. This feature is critical for auditing and rollback purposes in environments where knowing past credentials is necessary for troubleshooting or compliance.

When deploying a CyberArk Identity Connector to integrate Privilege Cloud Shared Services with an Active Directory environment, the server hosting the Identity Connector must meet specific requirements to ensure proper integration and functionality. The necessary condition is:

The Identity Connector Server must be joined to the Active Directory (Option A). This requirement ensures that the server can communicate effectively with the Active Directory services and manage identity data securely and efficiently. Being part of the Active Directory domain facilitates authentication and authorization processes required for the connector to function correctly.