The CyberArk marketplace has an iDRAC PSM web connector plugin geared towards logging in with a local root or admin account, but not as a windows domain privileged user account. In this blog, I’ll focus on showing how to make the PSM iDRAC web connector work for domain accounts.

WHY use a windows domain user privileged account?

Having such an iDRAC PSM domain focused connector allows for least privilege and leveraging your own privileged user admin account. For example, your privileged accounts can be mapped and configured as Operators, and only utilize the root account for administrative changes. Alternatively, your domain privileged accounts could be admins and utilized versus the shared local root account. Your privileged domain accounts are more likely to have been set to rotate more frequently than the local root account that is normally used as break-glass. This means less exposure for the local root account.

Please try these items in your QA lab (and iDRAC account(s)) before deploying to production. I’m not responsible for your own actions.

Prerequisites —

• CyberArk iDRAC v9 marketplace plugin or related configurations.
• PSM servers configured to allow PSM web connections
• RDP access to your PSM server(s)
• Admin access to your PVWA site
• AD group for IDRAC use — Privilege Domain accounts within the group
• iDRAC v9+
• Root account on target iDRAC to modify settings as needed
• IDRAC configured for LDAP/AD access
• IDRAC configured to utilize the AD group for privilege IDs you want to leverage
• Privilege ID within your vault to test PSM web connector functionality and perform validations
• Determine what domain user platforms you’ll link the connector to.

Let’s go —

1. Log into your PVWA site as an administrator.
2. Navigate to Administration>Options>connection components
3. Import the iDRAC PSM v9 connector from the marketplace and/or manually create the connector using the PSM-WebFormSample connector, then update to include the related marketplace iDRAC PSM plugin configurations.
   https://cyberark-customers.force.com/mplace/s/#a352J000000prc2QAA-a392J000001h4rHQAQ .
4. Name the connector to fit your naming scheme. Something like PSM-Web-iDRACv9-Domain. The display name could then be iDRAC v9 Domain, or just iDRAC v9 and link only to Windows Domain platforms.
5. Update the connection component’s LogonURL to include the PSMRemoteMachine parameter. Navigate to PSM-Web-iDRACv9-Domain>Target Settings>Web Form Settings> LogonURL . Then update the LogonURL field to be this: https://{PSMRemoteMachine}/restgui/start.html
6. Next, update WebFormFields:
   username>{username}(searchby=name)
   password>(Button)(searchby=name)
   password>{password}(searchby=name)
   //select/option^[2^]>(Click)(searchby=Xpath)
   cux-button>(Button)(searchby=class)
   ci-user-profile-core>(Validation)(searchby=class)
   ci-nav-help-core>(Validation)(searchby=class)
7. Click apply to save settings.
8. It takes longer for the plugin to step through the site because of the different logon steps required. Double the timeouts here:
   Administration>Options>Connection Components>PSM-Web-iDRACv9-Domain>Target Settings>
   ActionTimeout = 30
   PageLoadTimeout = 60
9. To show the connector for your related windows domain accounts, you need to update the related platform. Under Administration>Platform Management>related Platform>Edit>UI & Workflows>Connection Components, add a new parameter called PSM-Web-iDRACv9-Domain . Set Enable to Yes.
10. Next, Under Administration>Platform Management>related Platform>Edit>UI & Workflows>Connection Components > PSM-Web-iDRACv9-Domain > Override User Parameters > , Add the PSMRemoteMachine parameter.
11. Set the related PSMRemoteMachine configuration:
    Name: PSMRemoteMachine
    Visible: Yes
    Type: CyberArk.PasswordVault.Web.TransparentConnection.RemoteMachineUserParameter, CyberArk.PasswordVault.Web
    Required: Yes. Hit OK to save settings.
12. Navigate to Accounts> select your windows domain account that has the platform with the linked iDrac v9 domain connector.
13. Click the related iDrac v9 Domain PSM connect button.
14. Enter in the specific IP and/or FQDN for the target iDRAC host you want to connect to.
15. Click Connect.
16. You should now be logged into the iDRAC with your privileged windows domain account.

Additional thoughts —

1. Are your domain privilege accounts set for one-time use? Do they rotate after use ~60 minutes later?
2. If the PSM connection doesn’t work, it could be that your iDRAC certificate does not have the correct subject alternative names set. For example, the IP address being provided, or short name the user(s) are entering. Ideally have the FQDN, short name, and IP address on the certificate which is loaded onto the iDRAC.
3. If you’re not configuring your iDRACs to utilize certificates and HTTPS, you’re doing it wrong!
4. Think about where you would securely store your break-glass root accounts for the iDRACs outside the vault(s) incase the vaults are not functioning and available.
5. Same thing about vault administrator local accounts you’ll need to then log into the vault server OS. Are those in the same spot in your physical safe? What procedures are around this?
6. Check out the official CyberArk documentation if needed.
7. If the above steps don’t, it’s possible the iDRAC UI changed and needs adjusted further to make it work again. See if there was a marketplace update to the regular iDRAC v9 PSM web plugin and update accordingly if needed.
8. Do NOT utilize Windows “domain admin” accounts for this purpose. Use least privilege.
9. Check out my other blog post around creating CyberArk PSM Web plugins — https://medium.com/@aglerj/creating-custom-cyberark-psm-web-plugins-6de4238ca468

Looking for a partner in your Privileged Access Management rollout?

Check out my site here — https://www.keyvaultsolutions.com/pages/contact-us