There’s already CyberArk documentation related to creating Privileged Session Manager (PSM) Web plugins, but I want to share what I’ve learned and hopefully simplify explaining things so others can benefit and in turn secure their environments as well. I’m not going to go into configuring the underlying pieces, but provide tips and tricks related how I troubleshoot and figure out how to make new PSM web plugins.
Check the CyberArk marketplace for the related application site having a PSM plugin. If one exists already, utilize that. Don’t waste your time re-inventing unless you’re doing it for learning purposes.
DON’T test in Production. Use a lab environment and related lab accounts and such to validate your new connector.
Prerequisites —
- CyberArk PSM installed and configured in your environment
- Chrome and/or Edge configured and enabled for PSM Web plugins
- RDP access to your PSM server(s)
- Platform enabled and requiring PSM sessions and recording
- Related safe permissions for PSM use are set
- Admin access to your Password Vault Web Access (PVWA) site
- Vaulted Account(s) you want to utilize for logging into target websites
High level of how things work —
- Create a new connection component and/or clone the out of the box sample web component (PSM-WebFormSample) within PVWA under Administration>Options>Connection Components. Set the name. Note the name you chose to use in the next step. For example, PSM-Web-<SiteName>.
- Configure the connection component with the needed parameters. The parameters that normally change are LogonURL, and WebFormFields. Click apply so the settings save.
- Navigate to the related Platform you want to link the PSM connection component to under Administration>Options>Platform Management>select and edit the platform.
- Under UI & Workflows>Right click and Add connection component. Use the name you chose for the connection component. So the ID value would be PSM-Web-<SiteName>, and Enable is set to Yes.
- Wait ~10 minutes for the settings to take effect, or restart the PSM server service.
- Find the account you’ll be using the connector with that has the correct platform assigned. Click the connect drop-down, choose the PSM-Web-<SiteName> connector.
- If the connector errors out, review PSM connection component logs, update connection component WebFormFields, etc. as needed until it works.
PSM Web Plugin Tips & Tricks -
- Utilize the Plugin Generator provided by CyberArk to step through logging into the website with the related account(s) if you’re super new to PSM web plugins. Review the files it generates.
- Once you get the hang of the connectors and have more of them, clone a similar connection component and build on that. Pull down various PSM web connectors on the CyberArk Marketplace and review them. See if you can re-use that functionality in a new plugin you need.
- Each web browser has developer tools included. After you load the site’s logon page, right click on the related fields and click inspect. Using names and ids are better, but it varies on the site. You may need to utilize a class, Xpath, or full Xpath for items. Note the various field names required for logging in with the account.
- When editing the Connection Component, you can pass field variables from the account into the PSM connector for use.
For example, the LogonURL can be https://{Address}/login. This would be for a local admin account that the user is connecting to the site with. - If there are a LOT of target sites the users log into and it doesn’t make sense to create a lot of platforms with static URLs, you can prompt the user to provide which site name to pass into the PSM web connector URL dynamically. An example would be like this — https://{PSMRemoteMachine}/login. If the site needs to include ports, have them provide that in the PSM server prompt otherwise it doesn’t pass correctly to the plugin. That makes it dynamic instead of static as well, letting the user utilize whichever port is used for their application or appliance site.
- If a site normally loads slow, it will for the PSM connector as well. In those scenarios, increase the timeouts under the PSM connection component to be 60 instead of the default 30 seconds for example. The more the plugin has to do, the longer it takes to execute and load up. That could be ConnectionComponentInitTimeout, ActionTimeout, PageLoadTimeout parameters. Those are found within the connection component.
- If you’re stuck, set EnableTrace to yes to troubleshoot. Administration>Options>Connection Components>Expand related connection component>User parameters>Target settings>Client Specific>EnableTrace = yes.
- To set PSM trace logs to the max to enable debugging and troubleshooting, you can adjust the TraceLevels for PSM. Set that configuration here — PVWA >System > Options > Privileged Session Management > General Settings > Server Settings > TraceLevels=1,2,3,4,5,6,7 .
- On the PSM server that is being utilized, you can find the related logs for troubleshooting under the PSM\Logs\Components folder. <drive>:\Program Files (x86)\CyberArk\PSM\Logs\Components\ . Note the time and related file names it creates after you try the PSM connector. This assumes you have enabled max TraceLevels (as noted in the step above).
- If the PSM connection doesn’t work, it could be that your target site’s certificate does not have correct subject alternative names set, certificate is expired, or is somehow misconfigured. For example, the IP address being provided, or short name the user(s) are entering may not be on the loaded iDRAC certificate, which would cause validation to fail and drop the PSM connection. Ideally have the FQDN, short name, and IP address on the certificate which is loaded onto the iDRAC.
Example PSM Web Plugin WebFormFields —
For xpath, when using [ ], include a caret (^) before each bracket.
usernameBox > {Username} (SearchBy=Id)
passwordBox > {Password} (SearchBy=Id)
loginButton > (Click) (SearchBy=Id)
Identifier > (Validation) (SearchBy=id)username > {Username} (SearchBy=name)
password > {Password} (SearchBy=name)
loginButton > (Button) (SearchBy=name)
Identifier > (Validation) (SearchBy=id)login_field > {Username} (SearchBy=Id)
login_pw > {Password} (SearchBy=Id)
//*^[@id="page-content"^]/div/div/div/div/div/div^[2^]/form/div^[2^]/button > (Button) (SearchBy=xpath)
//*^[@id="login-image"^]/div/div/div^[1^]/img > (Validation) (SearchBy=xpath)user-name-here > {Username} (SearchBy=class)
pass-name-here > {Password} (SearchBy=class)
login-button-name-here > (Button) (SearchBy=class)
menu-option-name-here > (Validation) (SearchBy=class)Some additional examples for harder PSM Web or PSM Web CPM items:
//a[contains(text(),'Save')]>(Button)(searchby=xpath)
//a[contains(text(),'admin')]>(Click)(searchby=xpath)
//*[contains(@id,"parent_identity_identity_users")] > (click)(searchby=xpath)
//*[contains(@href,"/identity/users")] > (click)(searchby=xpath)
//*[text()="Change Password"] > (click)(searchby=xpath)
//*[contains(@value,"Save New Password")] > (click)(searchby=xpath)Recommended items:
- Once you get the hang of creating and/or loading these PSM plugins, teach someone else on your team how to do it.
- Be sure to document how your plugins work.
- Back up your pvconfigurations.xml and policies.xml files within your vault as a CYA. Ideally within a code repo like GitHub or GitLab.
Looking to buy plugins pre-packaged? Check out my site here — https://www.keyvaultsolutions.com/
Related CyberArk Documentation —
- Related PSM Web App information:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/psm_WebApplication.htm - Where are all the CyberArk logs?:
https://cyberark-customers.force.com/s/article/Where-do-I-find-the-logs - Configure PSM to run Web Apps:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Install_ConfigurePSMServerMachineForWebApps.htm#!#Configur - Set PSM Debug levels:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Configuring-Debug-Levels.htm
