CPC-CDE-RECERT CyberArk CDE-CPC Recertification Questions and Answers

CyberArk states that users can authenticate to the Vault through PSM for SSH using:

CyberArk password authentication (i.e., CyberArk authentication),

LDAP, and

RADIUS (including challenge-response).

Windows, SAML, and OIDC are not listed as direct PSM for SSH authentication methods in the PSM for SSH authentication configuration (Privilege Cloud / PSM for SSH uses the configured PSM for SSH authentication methods such as Password/LDAP/RADIUS)

CyberArk states that a Safe can be deleted only after its contents are deleted permanently, and (critically) objects are only deleted permanently after their retention/versions retention has passed. In the Privilege Cloud Safe management documentation, it notes that accounts are deleted permanently only after their retention period has passed, which is why deletion can be blocked by “non-expired” objects.

The underlying Vault/PACLI behavior is also explicit: “It is only possible to delete a Safe after the version retention period has expired for all files contained in the Safe.”

So, beyond deleting the content, the version retention period must have expired for all files → B.

CyberArk documents that the HTML5 gateway tunnels the session using a secure WebSocket over port 443, enabling users to access PSM sessions from a web browser (instead of requiring an RDP client connection from the endpoint).

In Privilege Cloud remote access for employees, CyberArk describes using Remote Access and HTML5 to enable secure remote access sessions through PSM “from any web browser,” eliminating the need for VPN clients.

Given the provided answer choices, A is the only option that matches the documented “tunneling” role of the HTML5 Gateway (even though the most precise phrasing in CyberArk docs is “tunnels the session between the end user and the PSM machine”).

Why the other options are incorrect:

B: Authentication is handled by Privilege Cloud/IdP mechanisms; the HTML5 gateway’s documented role is session tunneling, not being the primary authenticator.

C: CyberArk explicitly positions HTML5 remote access as eliminating the need for VPN clients (not providing VPN).

D: This is marketing language not reflected as the HTML5 gateway’s documented purpose.

In CyberArk Privilege Cloud, when connecting to a target server using the Privileged Session Manager (PSM) for SSH, the correct syntax for the SSH command includes the following format: ssh neil@linuxuser01#acme.corp@192.168.1.164@192.168.65.145. This syntax breaks down as follows:

neil: The CyberArk username.

linuxuser01#acme.corp: The domain user on the target Linux server, formatted as username#domain.

192.168.1.164: The IP address of the target Linux server.

192.168.65.145: The IP address of the PSM for SSH server.

This specific format ensures that the CyberArk Privileged Access Manager correctly interprets and routes the connection through the PSM for SSH to the intended target server.

In the Privilege Cloud LDAP integration workflow, CyberArk lists the default maps (built-in directory maps) as:

Vault Admins

Safe managers

Auditors

Users

Since the question asks for the default roles in addition to Vault Admins and Auditors, the remaining two default map roles are Safe managers and Users, which correspond to A and D.

CyberArk’s hardening instructions for SUSE (manual hardening) explicitly require:

Updating the SSH daemon configuration in /etc/ssh/sshd_config (for example, removing SFTP subsystem definitions and setting multiple hardening-related attributes such as disabling forwarding features).

Ensuring the credential file for the PSM for SSH gateway user (psmpgwuser.cred) has the required permissions 640 (default path shown as /etc/opt/CARKpsmp/Vault/psmpgwuser.cred).

Those map directly to A and C.

To properly arrange the steps for failing over to a passive Central Policy Manager (CPM) in CyberArk, the sequence should be as follows:

Validate that the active CPM's services are stopped and set to manual.Before enabling the passive CPM, ensure that the services on the active CPM are stopped. This prevents any conflicts or data corruption by making sure that only one CPM is active at a time. Setting the services to manual ensures they do not restart automatically, which is crucial during a failover scenario.

On the passive CPM, confirm details in the Vault.ini configuration file, reset the password to the CPM user, and recreate the credential file.This step involves making sure the passive CPM has the correct configuration to seamlessly take over operations. Adjustments in the Vault.ini file may be necessary to ensure it is pointing to the correct Vault and network settings. Resetting the password and recreating the credential file are critical to secure the login and authentication process for the newly active CPM.

Enable the CPM services on the passive CPM.Once the passive CPM is correctly configured and ready, enable its services to begin handling the tasks and responsibilities of the primary CPM. This action effectively switches the role from passive to active, enabling the passive CPM to function as the new operational manager.

Review logs to confirm the passive CPM services are running as expected.Finally, review the system and application logs to confirm that the now-active CPM is operating correctly and that all services have started without errors. This step is vital for verifying that the failover process was successful and that the system is stable.

Following this ordered sequence ensures a smooth transition of roles from the active CPM to the passive CPM, minimizing downtime and potential disruptions in the privileged access management operations.

On CyberArk Privilege Cloud, updating users' permissions on safes can be done through the Privilege Cloud Portal and the REST API. The Privilege Cloud Portal provides a user-friendly graphical interface where administrators can manage user permissions directly within the portal's safe management settings. Additionally, the REST API offers a programmable way to automate permission updates across safes, which is especially useful for bulk changes or integrating with other management tools. Both methods provide effective means to manage and customize access controls in a CyberArk environment, allowing for detailed permission settings per user on specific safes.

PSM for SSH supports various authentication methods, specifically focusing on secure and verified access mechanisms. The supported methods include:

RADIUS (D): Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. PSM for SSH utilizes RADIUS to authenticate SSH sessions, which adds an additional layer of security by centralizing authentication requests to a RADIUS server.

Client Authentication Certificate (E): This method uses certificates for authentication, where a client presents a certificate that the server verifies against known trusted certificates. This type of authentication is highly secure as it ensures that both parties involved in the communication are precisely who they claim to be, making it suitable for environments that require stringent security measures.

These methods provide robust security options for SSH sessions managed through CyberArk's PSM, ensuring that only authorized users can access critical systems.

CyberArk’s official outbound traffic/network requirements explicitly list the two Privilege Cloud cloud-side endpoints that are required for Secure Tunnel communications (for REST/API calls over HTTPS/443):

Backend service management (Required for Secure Tunnel): https://console.privilegecloud.cyberark.com

Connector (Required for Secure Tunnel): https://connector- .privilegecloud.cyberark.com

These map directly to answer choices A (console) and B (connector-).

Note: Your options use the .cyberark.cloud domain, while CyberArk’s network requirements documentation shows these endpoints in the .cyberark.com domain for Privilege Cloud. The service roles (Console + Connector endpoint) are what Secure Tunnel must reach, and those are the two “Required for Secure Tunnel” services in the official requirements.

Why the other options are not selected (based on what’s “required for Secure Tunnel” in the official allowlist guidance):

C (backend-services…): Not listed in CyberArk’s published “Required for Secure Tunnel” FQDN allowlist entries (console + connector are).

D (telemetry…): Telemetry is a separate capability (dashboards / utilization tracking) and is not documented as the required Secure Tunnel service endpoint.

E (update…): Secure Tunnel upgrade/download processes are documented, but “update.*” is not listed as a required Secure Tunnel cloud endpoint in the outbound allowlist table.

CyberArk states that LDAP users are provisioned using directory maps, and that a directory map determines whether a user account or group may be created in Privilege Cloud (and under which criteria/templates). That’s A.

CyberArk also states that an LDAP user’s account properties are updated by the directory map each time the user logs on (i.e., attributes refresh on login). That’s C.

Why the others are incorrect:

B: No custom Python script is required—Privilege Cloud uses built-in LDAP integration/directory mapping.

D: A Base Context / search base (e.g., DC=example,DC=com) is part of the required LDAP connection configuration.

E: The bind user does not have to be a domain admin; typical LDAP bind accounts are least-privileged for directory reads (domain admin is not a prerequisite in CyberArk’s integration flow).

According to best practice, when considering the location of PSM Connector servers in Privilege Cloud environments, the PSM should be placed near the target devices. This placement minimizes latency and maximizes performance by reducing the distance that data has to travel between the PSM servers and the devices they are managing. This is particularly important for maintaining high efficiency and response times during remote session management and operations, which are critical for the overall effectiveness of the Privilege Cloud environment.

CyberArk’s Privilege Cloud SAML configuration documentation explicitly states: Privilege Cloud supports only one assertion and instructs you to ensure only one assertion is configured in the IdP.

During Secure Tunnel deployment, CyberArk’s installation flow includes an “Authenticate to Privilege Cloud” step where you must enter Subdomain or Customer ID (plus the provided username/password). The documentation explicitly says to enter only the subdomain identifier (not the whole URL) or use the Customer ID provided by CyberArk.

For Shared Services (ISPSS), CyberArk’s Identity Administration documentation states: “To provision users based on on-prem directory services, you must first install the Identity Connector.”

This is because Privilege Cloud Shared Services leverages CyberArk Identity directory services integration (via the Identity Connector) for AD/LDAP provisioning and authentication.

CyberArk documents that to provision/authenticate users based on on-prem directory services using LDAP with Shared Services, you must first install the Identity Connector.

CyberArk also states LDAP communication to the Identity Connector is over TLS/SSL, and during the TLS handshake the LDAP server must present an X.509 certificate, meaning the connector must be able to trust the LDAP/LDAPS certificate chain (i.e., a trusted certificate on the connector side is required for LDAPS trust).

Therefore, the correct choices are B (Identity Connector) and D (trusted LDAP server certificate on the connector).

Why the other options are not correct as stated:

C is wrong because LDAPS (636) is between the Identity Connector and the domain controllers/LDAP server, not “opened to the Privilege Cloud back-end” directly.

E is not required for LDAP credential login; federated domains are used for federation/SSO use cases, while LDAP mapping is handled via the connector + LDAPS trust.

A (read-only domain user) is commonly used as the Bind DN/service account, but in the Shared Services LDAP requirement set here, the two must-have items that CyberArk calls out for enabling this path are the Identity Connector and the LDAPS certificate trust.

CyberArk’s hardening guidance is explicitly organized by whether the servers are In Domain or Out of Domain (for example, PSM hardening guidelines and tasks reference both deployment types, and CPM has separate “hardening in domain” guidance). Therefore, the deployment criterion that drives the hardening method/package is In Domain vs Out of Domain.

The Identity Connector communicates with the CyberArk Identity tenant using outbound HTTPS (TCP 443). CyberArk states the connector’s internet connections are outbound and use TCP 80/443 (with 443 being the standard requirement).

For AD/LDAP authentication using LDAPS, the connector host must be able to reach the Domain Controller on TCP 636 (LDAPS).

Why the others are incorrect:

The Identity Connector design is outbound; you do not open inbound 443 from the tenant to the connector host (so D is wrong).

LDAPS traffic is between the connector host and the domain controller, not the CyberArk tenant directly to your DC (so C and E are wrong).

To allow a PSM Universal Connector executable to run on the PSM after the hardening process, you should update the PSMConfigureAppLocker.xml file. This file configures AppLocker, which is a feature that controls which apps and files users can run on a system. Including the necessary executable in the PSMConfigureAppLocker.xml ensures it is whitelisted by AppLocker policies, thus permitted to execute even under the hardened security settings of the PSM environment. References to this configuration can be found in the CyberArk Privilege Session Manager implementation documentation, specifically in sections detailing customization and security hardening of environment configurations.

In Privilege Cloud Shared Services, the System Health dashboard lists component categories that include CPM (and Accounts Discovery) and PSM (and PSM for SSH), along with Web Portal and Secrets Manager Credential Providers. Vault/PVWA/PTA are not listed as monitorable components on this page in the Privilege Cloud Shared Services System Health topic.

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-app-users.htm

For a Privilege Session Manager (PSM) server, the network requirements primarily focus on its ability to interact with target systems securely and efficiently. The most accurate statement regarding these requirements is:

It must reach the target system using its native protocols (Option A). This is essential for the PSM to manage sessions effectively, as it needs to communicate using the protocols that the target systems are configured to accept, such as SSH for Linux servers or RDP for Windows servers.

For customers using CyberArk Privilege Cloud Shared Services, the correct format for the CyberArk Vault address is:

vault-<subdomain>.privilegecloud.cyberark.cloud (Option B). This format is used to access the vault services provided by CyberArk in the cloud environment, where <subdomain> is the unique identifier assigned to the customer’s specific instance of the Privilege Cloud.

The default authentication profile to access CyberArk Identity is typically the Default New Device Login Profile. This profile is used to manage the authentication settings and security measures for devices accessing CyberArk services for the first time. It includes configurations such as authentication methods, security checks, and compliance requirements, ensuring that new devices meet the organization’s security standards before gaining access.

https://docs.cyberark.com/pam-self-hosted/latest/en/content/pas%20inst/install_psm_harden.htm#HardenInDomaindeployments