CyberArk CPC-CDE-RECERT - CyberArk CDE-CPC Recertification

CyberArk explains that PSM recordings are saved temporarily on the PSM/connector during the active session, and when the session ends they are uploaded to Privilege Cloud.

It further notes that sessions are stored in the default recording Safe (PSMRecordings) in the Privilege Cloud Vault.

CyberArk’s Connector Management prerequisites check defines the exact network connectivity rules that must pass before installation:

VaultConnectivity → Connect to the Privilege Cloud backend on TCP 1858

TunnelConnectivity → Connect to the Secure Tunnel on TCP 443

CustomerPortalConnectivity → Connect to the service backend URL on TCP 443

This matches option A exactly.

CyberArk’s platform configuration guidance explicitly shows the navigation path to this parameter:

Edit the platform → Expand “Automatic Password Management” → select “General” → set “AllowedSafes”.

In other words, AllowedSafes is located under Automatic Password Management > General, which matches option C.

PSM for SSH supports various authentication methods, specifically focusing on secure and verified access mechanisms. The supported methods include:

RADIUS (D): Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. PSM for SSH utilizes RADIUS to authenticate SSH sessions, which adds an additional layer of security by centralizing authentication requests to a RADIUS server.

Client Authentication Certificate (E): This method uses certificates for authentication, where a client presents a certificate that the server verifies against known trusted certificates. This type of authentication is highly secure as it ensures that both parties involved in the communication are precisely who they claim to be, making it suitable for environments that require stringent security measures.

These methods provide robust security options for SSH sessions managed through CyberArk's PSM, ensuring that only authorized users can access critical systems.

CyberArk’s Privilege Cloud Standard SAML configuration documentation states that, before using SAML, users must already be defined in Privilege Cloud and provides two supported methods:

Integrate with your LDAP server (recommended) → this provisions users into Privilege Cloud. (Answer A)

Create CyberArk users in Privilege Cloud with identical details as the users who will access via SAML. (Answer D)

The other options are not valid “user definition” methods for this requirement:

SIEM and Email system integrations don’t define users in Privilege Cloud.

E is not a supported/customer method in Privilege Cloud Standard documentation (and Privilege Cloud is a managed service; you don’t create users by directly manipulating the service database).

In Privilege Cloud Shared Services, the System Health dashboard lists component categories that include CPM (and Accounts Discovery) and PSM (and PSM for SSH), along with Web Portal and Secrets Manager Credential Providers. Vault/PVWA/PTA are not listed as monitorable components on this page in the Privilege Cloud Shared Services System Health topic.

1-Run the Connector Management Connector installer

2-Install the CPM and PSM

3-When you are prompted to select the components to install, select CPM.

4-When you are prompted to select the CPM mode, select Passive.

https://docs.cyberark.com/ispss-deployment/latest/en/content/privilege%20cloud/privcloud-cpm-dr-install-config.htm

The error message "CACPM410E Ending password policy Prod-AIX-Root-Accounts since the reconciliation task is active but the AllowedSafes parameter was not updated" suggests an issue with configuration parameters. The likely cause is:

The AllowedSafes parameter does not include the safe containing the reconciliation account defined in the Platform (Option C). This parameter must accurately reflect all safes where the reconciliation account operates to ensure proper management and access by the Central Policy Manager (CPM). If the safe containing the reconciliation account is not listed, the CPM cannot perform its tasks, leading to this error.

https://docs.cyberark.com/privilege-cloud-shared-services/Latest/en/Content/Privilege%20Cloud/privCloud-connect-siem.htm