CPC-CDE-RECERT CyberArk CDE-CPC Recertification Questions and Answers

When deploying a CyberArk Identity Connector to integrate Privilege Cloud Shared Services with an Active Directory environment, the server hosting the Identity Connector must meet specific requirements to ensure proper integration and functionality. The necessary condition is:

The Identity Connector Server must be joined to the Active Directory (Option A). This requirement ensures that the server can communicate effectively with the Active Directory services and manage identity data securely and efficiently. Being part of the Active Directory domain facilitates authentication and authorization processes required for the connector to function correctly.

The default authentication profile to access CyberArk Identity is typically the Default New Device Login Profile. This profile is used to manage the authentication settings and security measures for devices accessing CyberArk services for the first time. It includes configurations such as authentication methods, security checks, and compliance requirements, ensuring that new devices meet the organization’s security standards before gaining access.

CyberArk’s Privilege Cloud Standard SAML configuration documentation states that, before using SAML, users must already be defined in Privilege Cloud and provides two supported methods:

Integrate with your LDAP server (recommended) → this provisions users into Privilege Cloud. (Answer A)

Create CyberArk users in Privilege Cloud with identical details as the users who will access via SAML. (Answer D)

The other options are not valid “user definition” methods for this requirement:

SIEM and Email system integrations don’t define users in Privilege Cloud.

E is not a supported/customer method in Privilege Cloud Standard documentation (and Privilege Cloud is a managed service; you don’t create users by directly manipulating the service database).

CyberArk documents that for upgrading Privilege Cloud connector components, there are two upgrade tools:

Connector Management installer (recommended)

Privilege Cloud installer (legacy)

That corresponds to B and C.

AllowedSafes is a regular expression and is case sensitive.

The regex Win (with no anchors) will match any Safe name that contains the exact substring “Win” with the same case:

WindowsPasswords → starts with Win ✅

SQL-Win-SA → contains Win ✅

win-ssh-keys → contains win (lowercase) ❌ (case sensitive)

CXD-WIN-ADMINS → contains WIN (all caps) ❌

WiNdOwS_Accts → mixed case, does not contain the exact substring Win ❌

Therefore the correct choices are A and D.

The error message "CACPM410E Ending password policy Prod-AIX-Root-Accounts since the reconciliation task is active but the AllowedSafes parameter was not updated" suggests an issue with configuration parameters. The likely cause is:

The AllowedSafes parameter does not include the safe containing the reconciliation account defined in the Platform (Option C). This parameter must accurately reflect all safes where the reconciliation account operates to ensure proper management and access by the Central Policy Manager (CPM). If the safe containing the reconciliation account is not listed, the CPM cannot perform its tasks, leading to this error.

https://docs.cyberark.com/privilege-cloud-standard/latest/en/content/privilege%20cloud/privcloud-app-users.htm

In the Privilege Cloud Shared Services model, user access and MFA are driven through CyberArk Identity / Shared Services, and CyberArk publishes a dedicated list of “MFA options in Shared Services” for the user portal and supported challenges.

In CyberArk PAM Self-Hosted, MFA is typically achieved by enabling and integrating additional authentication methods such as RADIUS, SAML, PKI, LDAP, Windows, CyberArk, etc., depending on the organization’s design.

So, the accurate comparison is that Privilege Cloud (Shared Services) leverages CyberArk Identity, while PAM Self-Hosted relies on enabling/integrating the relevant authentication/MFA methods in the self-hosted environment → B.

CyberArk’s hardening instructions for SUSE (manual hardening) explicitly require:

Updating the SSH daemon configuration in /etc/ssh/sshd_config (for example, removing SFTP subsystem definitions and setting multiple hardening-related attributes such as disabling forwarding features).

Ensuring the credential file for the PSM for SSH gateway user (psmpgwuser.cred) has the required permissions 640 (default path shown as /etc/opt/CARKpsmp/Vault/psmpgwuser.cred).

Those map directly to A and C.

https://docs.cyberark.com/privilege-cloud-shared-services/Latest/en/Content/Privilege%20Cloud/privCloud-connect-siem.htm

The correct description of the authentication differences between CyberArk Privilege Cloud and CyberArk PAM Self-Hosted is that CyberArk Privilege Cloud uses cloud-based methods, integrating with CyberArk Identity for Multi-Factor Authentication (MFA), and supports SAML and OIDC, while CyberArk PAM Self-Hosted relies on on-premises methods such as RADIUS and LDAP, but can adopt SAML or OIDC with additional setups. CyberArk Privilege Cloud is designed to leverage modern cloud-based authentication protocols to enhance security and ease of use, particularly in distributed and diverse IT environments. In contrast, CyberArk PAM Self-Hosted offers flexibility to use traditional on-premises authentication methods but also supports modern protocols if configured to do so.

The Identity Connector communicates with the CyberArk Identity tenant using outbound HTTPS (TCP 443). CyberArk states the connector’s internet connections are outbound and use TCP 80/443 (with 443 being the standard requirement).

For AD/LDAP authentication using LDAPS, the connector host must be able to reach the Domain Controller on TCP 636 (LDAPS).

Why the others are incorrect:

The Identity Connector design is outbound; you do not open inbound 443 from the tenant to the connector host (so D is wrong).

LDAPS traffic is between the connector host and the domain controller, not the CyberArk tenant directly to your DC (so C and E are wrong).

https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/administrating-the-psmp.htm#Createamaintenanceuser

To configure a platform to work with load-balanced Privileged Session Managers (PSMs), you should:

Create a new PSM definition that targets the load balancer IP address and assign it to the platform (Option B). This approach involves configuring the platform settings to direct session traffic through a load balancer that distributes the load across multiple PSM servers. This is effective in environments where high availability and fault tolerance are priorities.

https://docs.cyberark.com/identity/latest/en/content/coreservices/connector/connector-install.htm

In the directory lookup order for the CyberArk Privilege Cloud solution, the "CyberArk Cloud Directory" is always looked up first. This directory service is a part of the CyberArk Privilege Cloud infrastructure and is specifically designed to handle identity and access management within the cloud environment efficiently. It prioritizes the CyberArk Cloud Directory for authentication and identity resolution before consulting any external directory services.

PSM relies on Microsoft Remote Desktop Services capabilities on Windows, and CyberArk documentation/knowledge articles call out RDS CAL considerations for PSM deployments (including guidance on CAL type implications, especially with Windows Server 2019 licensing enforcement behavior).

According to best practice, when considering the location of PSM Connector servers in Privilege Cloud environments, the PSM should be placed near the target devices. This placement minimizes latency and maximizes performance by reducing the distance that data has to travel between the PSM servers and the devices they are managing. This is particularly important for maintaining high efficiency and response times during remote session management and operations, which are critical for the overall effectiveness of the Privilege Cloud environment.

CyberArk documents that the HTML5 gateway tunnels the session using a secure WebSocket over port 443, enabling users to access PSM sessions from a web browser (instead of requiring an RDP client connection from the endpoint).

In Privilege Cloud remote access for employees, CyberArk describes using Remote Access and HTML5 to enable secure remote access sessions through PSM “from any web browser,” eliminating the need for VPN clients.

Given the provided answer choices, A is the only option that matches the documented “tunneling” role of the HTML5 Gateway (even though the most precise phrasing in CyberArk docs is “tunnels the session between the end user and the PSM machine”).

Why the other options are incorrect:

B: Authentication is handled by Privilege Cloud/IdP mechanisms; the HTML5 gateway’s documented role is session tunneling, not being the primary authenticator.

C: CyberArk explicitly positions HTML5 remote access as eliminating the need for VPN clients (not providing VPN).

D: This is marketing language not reflected as the HTML5 gateway’s documented purpose.

For Shared Services (ISPSS), CyberArk’s Identity Administration documentation states: “To provision users based on on-prem directory services, you must first install the Identity Connector.”

This is because Privilege Cloud Shared Services leverages CyberArk Identity directory services integration (via the Identity Connector) for AD/LDAP provisioning and authentication.

https://docs.cyberark.com/pam-self-hosted/14.0/en/content/pas%20inst/following-installation-of-psmp.htm

When installing the Privileged Session Manager (PSM) on multiple servers, it is required that each PSM installation has the same path to the same recordings directory. This is necessary to ensure that session recordings are stored consistently across different PSM instances, which is important for high availability and load balancing implementations, as well as for maintaining a unified audit trail.

CyberArk’s PSM for SSH administration documentation explains how to create maintenance access by updating the SSH daemon configuration:

In /etc/ssh/sshd_config, add an AllowGroups entry that includes the maintenance group(s):AllowGroups PSMConnectUsers ..

This matches option C exactly: you enable the additional maintenance user by placing them in the group(s) referenced by AllowGroups in sshd_config.