CyberArk CPC-CDE-RECERT - CyberArk CDE-CPC Recertification

In large-scale environments, to enable the Central Policy Manager (CPM) to focus its search operations on specific Safes instead of scanning all Safes it sees in the Vault, the AllowedSafes parameter on each platform policy is used. This parameter can be configured within the platform settings in the CyberArk administration interface. By specifying safes in the AllowedSafes parameter, the CPM will only manage credentials within those designated safes, thereby optimizing performance and managing resources more efficiently by not scanning unnecessary safes. This setting is crucial for large environments where the CPM needs to be as efficient as possible due to the volume of managed accounts.

https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/administrating-the-psmp.htm#Createamaintenanceuser

CyberArk’s official DR CPM procedure for Privilege Cloud (shared services) describes two key actions in this flow:

During installation (Connector Management): When prompted to select the CPM mode, choose Passive.

After installation (configuration step): Stop the CyberArk Password Manager service and set its startup type to Manual.

These map directly to answers C and A.

Privilege Cloud (Shared Services) user access is governed by CyberArk Identity user existence and policy. If the user account is removed, sign-in is blocked and the end-user experience is the standard “unable to sign in / contact administrator” style message, consistent with CyberArk’s end-user troubleshooting guidance when sign-in is blocked by policy/account state.

(Options C and D do not align with Identity-based access control behavior; a removed Identity user should not be able to authenticate successfully.)

CyberArk’s hardening instructions for SUSE (manual hardening) explicitly require:

Updating the SSH daemon configuration in /etc/ssh/sshd_config (for example, removing SFTP subsystem definitions and setting multiple hardening-related attributes such as disabling forwarding features).

Ensuring the credential file for the PSM for SSH gateway user (psmpgwuser.cred) has the required permissions 640 (default path shown as /etc/opt/CARKpsmp/Vault/psmpgwuser.cred).

Those map directly to A and C.

The default authentication profile to access CyberArk Identity is typically the Default New Device Login Profile. This profile is used to manage the authentication settings and security measures for devices accessing CyberArk services for the first time. It includes configurations such as authentication methods, security checks, and compliance requirements, ensuring that new devices meet the organization’s security standards before gaining access.

CyberArk documents that automatic hardening can be bypassed by setting the Hardening parameter in the PSM for SSH parameters file. The PSM for SSH parameters file used during installation is the psmpparms file (created by copying psmpparms.sample and renaming it to psmpparms).

From the error message provided, two likely scenarios could represent valid misconfigurations:

TCP Port 636 could be blocked by a network firewall, preventing communication between the CyberArk Identity Connector and the LDAP Server (A). This is a common issue where firewall settings prevent the secure communication port (typically 636 for LDAPS) from transmitting data between the server and the connector, thus blocking the connection attempt.

'Verify Server Certificate' is activated but the provided hostname is not listed as a Subject Alternative Name (SAN) in the LDAP server's certificate (C). This scenario occurs when SSL/TLS security measures are stringent, requiring that the hostname used to connect to the LDAP server must match one listed in the server's SSL certificate. If the hostname does not match, the connection will fail due to SSL certificate validation errors.

CyberArk’s predefined groups documentation describes the Auditors group as having View audit plus Safe viewing-related authorization (documented as View Safe Members, enabling visibility into Safe contents/activity/owners list). This matches the intent of “View Audit + View Safe” in the question better than the other options.